Why hiding IDs wasn’t enough for secure share links

Source: Dev.to

Why hiding IDs wasn’t enough for secure share links

I recently went down a rabbit hole thinking about how secure share links are usually designed.

My first instinct was the obvious one: hash the internal ID, put it in the URL, resolve it on the backend. It works — until you start thinking about revocation, expiry, and access control.

What finally clicked for me was realizing that a shared link isn’t the resource itself, it’s permission to access the resource. Once I separated those two ideas and added an indirection layer (slug → resource), a lot of awkward edge cases disappeared.

I wrote a short reflection on this shift in thinking — not a tutorial, just a design lesson I learned the hard way:

👉 Building a Secure Sharing System: Why Slugs Matter More Than Hashes