[maxcoder4]

The idea behind "security thorough obscurity" is that even if the adversary knows everything about your setup *except the secret keys*, you should be secure. Security through obscurity is any method of protection other than the secret key, like for example: * serving ssh on a random high port * using a custom secret encryption algorithm * hosting an unauthenticated service on a secret subdomain in hope nobody will find out * or with a long directory name

Some security thorough obscurity is OK (for example high ports or port knocking help buy time when protecting from a zeroday on the service). It's just that relying only on the security thorough obscurity is bad.

In this case, I wouldn't call URLs with embedded key security through obscurity, just a poor key management.

[fiddlerwoaroof]

But, this is just relying on the obscurity of the key: all security comes down to some form of secret knowledge. It’s just better to use a space that’s hard to enumerate than a low-cardinality space: if we had 1024 bits of port numbers, picking a random port would be as hard to crack as a 1024 bit encryption key.