I let a company know that the url for their receipts (including name, address etc) was simply an md5 of the order number. They graciously offered 15% off on my next order as a thank you.
I feel like that would be a decent option for a surrogate key for public identification of an item and potentially cheaper than generating a uuid or something else. Maybe combine that with a salt and you have alright protection. How did you figure out that it was an md5 of the order number?
Presumably order numbers are easily guessable, so the md5 really offers no protection at all in this case and is no better than just using the order number
And the thing is, even if they can't be guessed, it's only 999,999 calls to try every 6-digit possibility. And you'd only take 11 days if you were nice and paced yourself to 1 req/sec.