[jazzyjackson]

I don't know what Devin is but it sounds like this is just a case of using a high entropy uuid as a workspace address, it's not that different than password auth if, say, your password was in the query string. Not great, but basically it's "anyone with a link" method of sharing access.

Did Google Photos ever change their auth scheme? I know I was surprised once when I found out the direct URL of my jpegs was "public"

Here's an archived link to the Twitter thread you can read without an account https://xcancel.com/TheMidasProj/status/1867318553046921376

[danpalmer]

It’s very common for CDN URLs to be public, but to be signed and only work for a limited amount of time. This is because it’s very hard to scale authorisation to edge CDN scale while keeping the performance benefits. This is a security tradeoff, sure, but a very common one.