I'm adding my "+1" to this. It would be preferable if the URL-based link could selectively be required to also match some other elements that could be passed as query parameters such as the company name or ID, contact ID or email address, pretty much any other information that is would require providing a 2nd piece of information that would be unique to the ticket.

Our use case is to automate sending out a ticket acknowledgement for tickets submitted after-hours. We'd like them to be able to self-schedule, but with now the URL-based scheduling works now all they'd need to do is change the ticket ID and then be able to either see another ticket's title (if Ticket Details Display is enabled in Security), or could be used to schedule events for a different ticket altogether (malicious use of link).

Ideally, we'd be able to change the Ticket Details Display setting on a per Appointment Type basis so we have more granular control over which types of Appt Types show this info.

Controls on a per-Appointment Type basis to turn off URL-based scheduling altogether would be nice, as would optional "2nd factor" options for the URL-based scheduling such as requiring a 2nd piece of info (provided in query string, in the URL itself, or prompted to enter by TZ such as contact email address associated with the ticket). This info would have to match to the ticket # provided in the URL to allow the person to proceed with any scheduling activity.

Shival Agarwal This can already be configured in the "Security" section of TimeZest, which allows you to configure TimeZest to not show the ticket description for URL-based scheduling, thus turning off the ability for users to change the URL and see other tickets (but at the cost of usability).

Maybe it could send the user a shortened URL that wouldn't show the tech's name, appointment type, and ticket number in the URL. Within the portal the tech could create a shorten link as well.