The correct answer for using URLs as capabilities (which is what a 'secret URL' really is: a capability to a resource, which can be handed out, copied &c.) is to use a 256-bit value as part of the URL. Thus, rather than 'http://example.invalid/TEAM-DOC-SHORT-RAND/' use 'http://example.invalid/w6uP8Tcg6K2QR905Rms8iXTlksL6OD1KOWBxT.... If you're really paranoid, double the length. I guarantee it won't be guessed, in either case.
Yes, exactly this. It's not rocket science; it's odd how much effort Slack put into implementing (and then reimplementing in a slightly less broken fashion) a clearly wrong solution.
Don't forget that it should ideally be cryptographically random. If the sequence is predictable (like based on an auto incrementing number or on time) then you might still be able to guess a 256-bit number.
The guideline for unguessability in that TR just says to use a UUID. UUIDs are ugly, and quite long for the amount of randomness they contain. I prefer Slack's new 10*base36 solution.
10 base-36 digits is only around 52 bits, compared to the 112 random bits in a UUIDv4. 2^52 might be enough for particular use-cases, but it's nowhere near a UUID in terms of randomness. Even 10 base-64 digits is only 60 bits.
Right, some kinds of UUIDs achieve their uniqueness precisely by leveraging predictability. The unpredictable kind are mostly just random bits formatted in a particular (not very efficient) way.
The random ones don't have to be unpredictable randomness, either. For example, you might seed a good RNG with the local MAC address and boot time and then use that to generate v4 UUIDs. As far as I can tell, this would be perfectly legal and should produce UUIDs that are as likely to be unique as any other, but they would also be easy for an attacker to predict.
Basically the whole "version" UUIDs is a stupid fever dream. Any sane implementation should return 16 random bytes and be done. The fact that there's a spec for this and it's longer than 2 sentences is just wrong.