I found the best way to do this

1. Make the event secret
   1. to hide the link from my home page
2. Use the “let link expire after the first booking” option
   1. so the link is only useful to the first person who uses it
3. change the event url to a UUID4 (option 5 above)
   1. I didn’t find this setting at first because the scheduling link isn’t an editable text field
      1. but you can go to edit → more options → booking page options to edit the url
   2. generate a UUID4 locally so only you have the unique ID, then never share it with anyone
      1. only use the one time link option

This combination of settings means that the only way a person can book a meeting with me is if they are the first person to use a link I made. There’s no way for anyone to use a link a second time or guess the link of the main scheduling page, which satisfies my personal security requirements.

As a side note, I figured out how calendly generates the scheduling link in the first place, but that information isn’t needed because you can just edit the link after it’s generated.

I’ll explain how calendly generates the meeting link for documentation anyway.

• The first link name is the length of time of the meeting, so calendly.com/username/30m would be the link for the first 30 minute meeting I make.
• If I make another 30 minute meeting, calendly spells out the time to avoid a collision with the first link, ie calendly.com/username/30-minutes (it’s something like that, I don’t have the exact spelling right).
• Then, all 30 minute meetings I make after that just use the title of the meeting, so a meeting titled “Meeting with Jacob” comes up as calendly.com/username/meeting-with-jacob (note the hyphens and lowercasing)
• Then, if I make another meeting with the title “Meeting with Jacob”, the link just increments, calendly.com/username/meeting-with-jacob-1

Update: 

• it looks like even the one time link includes the meeting link, making it possible for an adversary to find my main booking page
  • so I will generate the uuid4 locally every time I share a link
  • this is inconvenient but preferable to me over giving adversaries a way to book a meeting with me

a second update 

(looks like I can’t edit my original question and answer or reply to the answer)

I wanted to reduce the chance of an adversary getting a live unused one time link

• it turns out unused one time links expire automatically in 90 days
  • I wish I could configure that automatically, but the automated expiration is still helpful
• more importantly, I can view all created one time links from the “meetings” menu
  • and I can cancel pending meetings
  • so I will modify my above answer to manually delete unused one time links after one week
    • This is a workaround because there’s no automated way to make a one time link expire sooner than 90 days, but worth it for my personal security requirements

I also have a minor update on how the meeting link is automatically generated

• If I clone a meeting with the name “meeting with Jacob”, the title becomes “meeting-with-jacob-clone”