[kevincox]

You don't need to worry about a collision in a UUIDv4 that you created on your server. But I have seen a surprising number of applications that took a UUID generated client side and basically upserted it. Allowing taking over resources who's ID was known via the insert API (even if the update API has proper access control).

[groestl]

> UUID generated client side and basically upserted it

Read and take notes. This is crazy in untrusted environments.

[kevincox]

Generating IDs on the client can be very useful for offline-first systems. But you need to check for conflicts and permissions on the server (or be sure to keep the IDs secret which I wouldn't recommend).

[groestl]

Agreed, but in that case "upsert" is also weird, since I'd structure such a system around an immutable log datastructure.