So far I see these options (pseudo code):
A. Quite simple MD5 hash:
$identifier = MD5(object.id + created_at + app_secret)
=> 4c0dc8d3fdffacb65d04911291aac4cf
B. UUID:
$identifier = uuid()
=> fbcf6520-ab93-11e8-86b4-080027b55b5e
But which UUID version makes most sense? I tend to v4.
C. I'd like to have a prefix for those IDs, so I immediately know what kind of object is meant e.g. in the logs or support request.
$identifier = 'trx_' + uuid()
=> trx_fbcf6520-ab93-11e8-86b4-080027b55b5e
But is this a nice style? I could store without prefix but expose with prefix and allow requests with or without it.
What's your best praktise?
It shouldn't really matter. If I used UUID-like identifiers, I do think I would slightly prefer the UUID format because it signals to a user of an API 'This is a UUID'.
It's possible that there's some small benefits for a user, because if I see a UUID, I know I can store it in a database as a 128 bit integer instead of a string.
One thing to look out for though is security. Your first example uses the word secret which might tell me that these id's should not be guessable. UUID's are guessable and not cryptographically secure.
That being said, MD5 is insecure too so in that case both your examples are bad.