@klabb3 4d
Unique links like this work well over trusted comms channels, like email or slack. I don’t think typo attacks are particularly fruitful, but sometimes you need to type manually, in which case you’ll break the link. They should probably make canonicalize identifiers.

What I would worry about though, is tracking. If you can see calendar status via a link you received (or even guessed), you can follow that person forever. That’d be fine for public use-cases, like therapists, but I would never share my calendar publicly, even if the details are masked.

A great compromise, imo, is to generate temporary links, that are hard-enough to guess. That let’s you avoid rolling your own permission system, while providing excellent privacy by default.

@singron 4d
If you want to do a rigorous job preventing these issues, you can try the skeleton algorithm from tr39. It provides a normal form where confusable characters are considered equivalent, which let's you easily find confusable identifiers in a database.
@ElijahLynn 4d
Going off of your comment, I just signed up with /ElijahLynn (CamelCase) and it looks like I have both https://cal.com/ElijahLynn and https://cal.com/elijahlynn available, redirecting to my profile. The UI displays https://cal.com/elijahlynn, fwiw.
@pbreit 4d
I used the link it gave me which seems fine: https://cal.com/patrick-breitenbach-6randomchars
@smugma 4d
I tried my name with a capital letter and got:

This is a premium username, get yours for $29/mo