I can't speak to how the keys are generated but take a look at the bellow keys. They are all the same file uploaded with the same code within a few moments of each other. They are unique enough it would take a bruit force attack to find a key that could be used:
AMIfv951k5FTlQxC-6nljafbiyiRJvWkcVhbuCbBvFcSu6cuf_IV2x1f_OIhkQ-Q1OnPp0HN6hKKbXMS4S_C3dgt5zGhQcWKHOZy2ALjOXVr20o9PhPWT8Wmbu4oxJU7gmAXfVQtttYBheQvpJFbOkH_qnilNdWmh_UYNiZjy_O9ioV_SJnH-PM AMIfv954myPMnDkCeYlHSMUj2noCiBqD-BtaxwZw7Raf_LGg62IOlgOK44PpysRDX5BWEQE5NfzvtS-xVV4BL9kh1eH2lx7l5fWQWJSEQR8vL8JCAOq12A2LuzvUdLK3e9jwXNwx7UCVI1EeUipVXUvABT9tauNJ_DRBBlL8bqNE99QzfXijCFQ AMIfv97UzePJVVqYjnxkAf5d_-tG88gzxp9DcttAeUdZ10NUpMTVmYG2QttDDOSNzztFzHVnRa4rcy-BWeLlN9ZRZzEEXI2TXWUIxn1tzwW_QgYSJP60YWb5bt_khIPnUAWIbij-FQEdMycGDada_it6WoPky5hCS0cjVtAJ4tr2p7NuRxIo2_c AMIfv97MrdriwZpoTkLGxc2sEFwfXIMXwz7Dt3f7IH9Iljb9S57f6amI8ZB8H70VwfkLVOnPvhoDNW7iyTUhiqtafSsFu7L6w3U_qxqzaGJNez8XGLLYeZCwBUWRre-6eeodyTzzohB7zgrEvTp4j9B1K99HU5Secp2cZNW0VW4i9co-o352eqw AMIfv95anW6Qio_APu5La6ZBAs9ZUvaXcO5x8JeN0CW0knMnLtCFSWiAFe0laElTfbguW71WPO7UpKtFK_ijUTSNOgvT6w2T-0YWKawlHaBvyVnDFRZAcdsbGdIeBAcQOnXsJ6D_dDkKLBi73SHTIXB9LTr_oZUbpVOxiLHQOZa8h58ubozYu0E On Sunday, September 27, 2015 at 3:23:50 PM UTC-4, Rob Curtis wrote: > > Hi, > > I can't find any information on this in the documentation; > Are blob keys guessable? > Is it safe to expose stringified blob key to a user? > > Thanks > Rob > > -- You received this message because you are subscribed to the Google Groups "Google App Engine" group. To unsubscribe from this group and stop receiving emails from it, send an email to google-appengine+unsubscr...@googlegroups.com. To post to this group, send email to google-appengine@googlegroups.com. Visit this group at http://groups.google.com/group/google-appengine. To view this discussion on the web visit https://groups.google.com/d/msgid/google-appengine/160a6d4a-427d-4fba-83c6-c32d98f2d47d%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
