UUID Killed REST

ํ”„๋กœํ•„
Cliche

2025-04-21

460 โ€ข 0

๐Ÿค– "From a practical standpoint..." โ€” A small question that turned into a whole thing

I was implementing a coding test assignment using an in-memory approach.
The goal was to satisfy the requirements first and then ask myself,
โ€œIf I were building this for real, how would I design it?โ€

There was no FastAPI, no SQLAlchemy, no database.
Just pure Python logic.
And naturally, I was assigning primary keys like this: customer_id_seq += 1,
mimicking auto-increment behavior.

Then GPT dropped this on me:

๐Ÿค– From a practical standpoint:
โ€ƒโ€ƒโ€ข Real-world services often use UUIDs
โ€ƒโ€ƒโ€ข Or ULID/Snowflake IDs for time-sortable uniqueness
โ€ƒโ€ƒโ€ข Using incrementing integers like this is a typical in-memory simulation pattern

The part about "mimicking" didnโ€™t bother me. It was true.
If I were building this in production, Iโ€™d use MySQL and AUTO_INCREMENT.
So yes โ€” itโ€™s mimicry. No argument there.

But what stuck with me was the next part:

โ€œIn real services, UUIDs are commonly usedโ€ฆโ€

Are they really?
Why? For security? For structure?
And more importantlyโ€ฆ
Is putting a UUID directly in a URI ever really a beautiful design?

That question was the beginning.
From that moment, I began facing the concept of UUID head-on.

Is UUID security?

Letโ€™s start there.
A lot of people say they use UUIDs for โ€œsecurity.โ€
Instead of predictable paths like /users/42, they go with something like:

/users/8c12e401-ef14-4ea4-86cd-349fc00c672b/profile
โ€” because itโ€™s โ€œhard to guess.โ€

But hereโ€™s what I believe:

Security in your URIs should come from authorization, not obfuscation.

What if someone brute-forces a real UUID?
And what if that request goes through without authentication?

Then the problem isnโ€™t the UUID.
Itโ€™s your security model.

A UUID isnโ€™t protection.
Itโ€™s just a name tag thatโ€™s harder to guess.

UUIDs are not beautiful in URIs

Whenever I see a UUID in a URI, this is what goes through my mind:

โ€œAh shitโ€ฆ here we go againโ€ฆโ€

RESTful URIs are meant to be readable by humans.
Something like /users/42/profile has structure, clarity, and meaning.
(My blog isnโ€™t even RESTful yet โ€” it's still https://cliche.life/profile/cliche โ€”
but the point is: the structure is human-readable.)

Now compare that to this:

/users/8c12e401-ef14-4ea4-86cd-349fc00c672b/profile
It looks like a pile of machine vomit.

No readability.
No sorting.
No predictability.
Just chaos.

Youโ€™ve seen those links, right?
The ones your friend DMs you that are so long, you need to hit โ€œSee Moreโ€ to even unfold the full URL.

Let me give you an example:

Yodobashi URL

Strictly speaking, this isnโ€™t a UUID.
Itโ€™s a mess of UTM params, tracking tags, and product data.
But from the perspective of โ€œhuman-unreadable design,โ€
itโ€™s exactly the same.

Once again โ€” my apologies to Yodobashi.

RESTโ€™s original philosophy was about expressing resource structure through URIs.
UUIDs cut right through that.

REST is dead.
What remains is just a random-token-flavored RPC.

So... are UUIDs garbage?

No. Absolutely not.

UUIDs are useful.
Especially in distributed systems, offline ID generation, or client-side uniqueness.
I respect all that.

But what I am saying is this:

Donโ€™t use UUIDs for security.
Donโ€™t make UUIDs the face of your architecture.
And most of all โ€”
UUIDs are not RESTful.

URIs should be readable by humans.
Thatโ€™s what REST was about โ€” and what brought me to this work in the first place.

If I can't understand a structure, it has no value to me

This isnโ€™t just a UUID rant.
Itโ€™s a statement about how I approach technology.

I hate unnecessary complexity.
If I built the system, I need to be able to understand the structure.

Thatโ€™s the foundation of design.
And the beginning of ownership.

These days, people build apps with no-code tools,
deploy with a single click,
and talk about monetizing before they even write a function.

But I always come back to this:

โ€œIf I canโ€™t understand the system, itโ€™s not mine.โ€

Itโ€™s a rental structure.
And Iโ€™m just a user who canโ€™t change a single line of it.

Conclusion

UUIDs are not security.
URIs should be readable.

I still use profile/{username} โ€”
because that structure is mine.
It makes sense to me.
Itโ€™s human. Itโ€™s elegant.

RESTful? Sure, I like it.
But itโ€™s a means, not a religion.

In the end, design is only beautiful when it works.

So I cleaned up my RESTful endpoints and HTTP methods,
only to realize that HTML forms donโ€™t even support DELETE or PATCH.

If RESTful is the ideal,
then Swagger is my day-to-day reality โ€”
one test at a time, one click at a time.

Yes, I wish my URIs could be beautiful.
But what matters most is this:

I need to understand the URI I create.

Thatโ€™s my philosophy.
And itโ€™s still breathing today โ€” in profile/{username}.

#UUID #RESTful #๊ฐœ๋ฐœ ์ฒ ํ•™

Comments 0

Login required to write comments

General Login Kakao Kakao Google Google Naver Naver