I recently went down a rabbit hole thinking about how secure share links are usually designed.
My first instinct was the obvious one: hash the internal ID, put it in the URL, resolve it on the backend. It works — until you start thinking about revocation, expiry, and access control.
What finally clicked for me was realizing that a shared link isn’t the resource itself, it’s permission to access the resource. Once I separated those two ideas and added an indirection layer (slug → resource), a lot of awkward edge cases disappeared.
I wrote a short reflection on this shift in thinking — not a tutorial, just a design lesson I learned the hard way:
👉 Building a Secure Sharing System: Why Slugs Matter More Than Hashes
Would love to hear how others have approached this problem.
Top comments (0)