To account for the massive uncoordinated random access scenario, which is relevant for the Internet of Things, Polyanskiy (2017) proposed a novel formulation of the multiple-access problem, commonly referred to as unsourced multiple access, where all users employ a common codebook and the receiver decodes up to a permutation of the messages. In this paper, we extend this seminal work to the case where the number of active users is random and unknown a priori. We define a random-access code accounting for both misdetection (MD) and false alarm (FA), and derive a random-coding achievability bound for the Gaussian multiple access channel. Our bound captures the fundamental trade-off between MD and FA probabilities. It suggests that the lack of knowledge of the number of active users entails a small penalty in energy efficiency when the target MD and FA probabilities are high. However, as the target MD and FA probabilities decrease, the energy efficiency penalty becomes more significant. For example, in a typical IoT scenario with framelength 19200 complex channel uses and 25-300 active users in average, the required energy per bit to achieve both MD and FA probabilities below 10 −1 , predicted by our bound, is only 0.5-0.7 dB higher than that predicted by the bound in Polyanskiy (2017) for a known number of active users. This gap increases to 3-4 dB when the target MD probability and/or FA probability is below 10 −3 . Taking both MD and FA into account, we use our bound to benchmark the energy efficiency of slotted-ALOHA with multi-packet reception, of a decoder that simply treats