diff --git a/app/controllers/file_uploads_controller.rb b/app/controllers/file_uploads_controller.rb
index 8ad47cc..ad487ca 100644
--- a/app/controllers/file_uploads_controller.rb
+++ b/app/controllers/file_uploads_controller.rb
@@ -2,7 +2,7 @@ class FileUploadsController < ApplicationController
   def show
     @form = Form.find_by!(token: params[:form_id])
     @submission = @form.submissions.find(params[:submission_id])
-    @file_upload = @submission.files_attachments.find(params[:id])
+    @file_upload = @submission.files_attachments.find_by!(token: params[:id])
     redirect_to url_for(@file_upload)
   end
 end
diff --git a/app/models/submission.rb b/app/models/submission.rb
index f0e0349..4dfc874 100644
--- a/app/models/submission.rb
+++ b/app/models/submission.rb
@@ -37,7 +37,7 @@ class Submission < ApplicationRecord
       attachment = ActiveStorage::Attachment.new(record: self, name: 'files', blob: create_one.blob)
       attachment.save
       # return the URL that we use to show in the Spreadsheet
-      Rails.application.routes.url_helpers.file_upload_url(form_id: form, submission_id: self, id: attachment.id, host: DEFAULT_HOST)
+      Rails.application.routes.url_helpers.file_upload_url(form_id: form, submission_id: self, id: attachment.token, host: DEFAULT_HOST)
     else
       value.to_s
     end
diff --git a/config/initializers/attachment_tokens.rb b/config/initializers/attachment_tokens.rb
new file mode 100644
index 0000000..a73e466
--- /dev/null
+++ b/config/initializers/attachment_tokens.rb
@@ -0,0 +1,3 @@
+Rails.configuration.to_prepare do
+  ActiveStorage::Attachment.send(:has_secure_token)
+end
diff --git a/db/migrate/20200412214304_add_token_to_attachments.rb b/db/migrate/20200412214304_add_token_to_attachments.rb
new file mode 100644
index 0000000..76922bc
--- /dev/null
+++ b/db/migrate/20200412214304_add_token_to_attachments.rb
@@ -0,0 +1,6 @@
+class AddTokenToAttachments < ActiveRecord::Migration[6.0]
+  def change
+    add_column :active_storage_attachments, :token, :string
+    add_index :active_storage_attachments, :token, unique: true
+  end
+end
diff --git a/db/schema.rb b/db/schema.rb
index a55b127..0af6c8e 100644
--- a/db/schema.rb
+++ b/db/schema.rb
@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2020_04_12_165834) do
+ActiveRecord::Schema.define(version: 2020_04_12_214304) do
 
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
@@ -21,8 +21,10 @@ ActiveRecord::Schema.define(version: 2020_04_12_165834) do
     t.bigint "record_id", null: false
     t.bigint "blob_id", null: false
     t.datetime "created_at", null: false
+    t.string "token"
     t.index ["blob_id"], name: "index_active_storage_attachments_on_blob_id"
     t.index ["record_type", "record_id", "name", "blob_id"], name: "index_active_storage_attachments_uniqueness", unique: true
+    t.index ["token"], name: "index_active_storage_attachments_on_token", unique: true
   end
 
   create_table "active_storage_blobs", force: :cascade do |t|