What Is The Difference Between Uuid4 And Secrets Token_bytes In Python?

Checked the cpython source code for both secrets and uuid4. Both seems to be using os.urandom. #uuid.py def uuid4(): '''Generate a random UUID.''' return UUID(bytes=os.uran

Solution 1:

You might be surprised to learn that random UUID's are not fully random. To be precise, there are 6 bits set to specific values (to indicate that it is a random UID). They are created to be unique (with a high amount of certainty). UUID's have a specific purpose, so you'll find all kinds of methods defined on them.

Furthermore, as the name suggests they are not meant to be secrets. That may also mean that possible protection measures that apply for secrets are not taken. For instance, strings are usually easy to find in memory, and UUID's are often used/communicated in a textual representation.

A token is something different. It is usually encrypted and kept secret. As such, it serves a different purpose. Of course, both UUID and tokens can consist of random bits and bytes. However, this is more about using the right tool for the job.

If you are creating a secret key rather than a token or UUID I'd prefer a API specific method for generating the keys. Otherwise it might be a good idea to use SystemRandom directly, because a key is neither a UUID nor a Token.