How long should a random nonce be?

A 64-bit nonce is likely more than sufficient for most practical purposes, if the 64 bits are crypto-quality randomness.

Why is 64 bits sufficient? Let me lay out the kind of reasoning you can use to answer this question. I'll assume this is a single-use time-limited URL; after it is used once, it is no longer valid, and after a little while (3 days, say), it expires and is no longer valid. Since the nonce is only meaningful to the server, the only way that an attacker can try a guess is to send the 64-bit guess to the server and see how the server responds. How many guesses can the attacker try in the time before the nonce expires? Let's say the attacker can make 1000 HTTP requests per second (that's a pretty beefy attacker); then the attacker can make about 1000*3600*24*3 = 2²⁸ guesses within a 3-day period. Each guess has a 1/2⁶⁴ chance of being right. Therefore, the attacker has at most a 1/2³⁶ chance of breaking the scheme. That should be more than secure enough for most settings.

First, estimate the maximum amount of uses your system will get (the amount of times a random nonce will be generated). Next, decide on an acceptable security level, that is, how improbable it must be that a nonce is a duplicate of an old one. Calculate the amount of uses in bits, double that and add the improbability you need in bits and you have your nonce length.

An example from AES-GCM with random IV. The number of invocations allowed with random IV for a certain key is 2³². The probability that an IV is reused must be less than 2^-32. The required nonce length for this is 32 × 2 + 32 == 96 bits.

If, hypothetically, you'd want to be able to generate 2⁹⁶ packets, each with a random nonce and would want the probability of a duplicate nonce be less than 2^-32, you'd need a nonce that is 96 × 2 + 32 == 224 bits long.

Comparing this to the above answer of 64 bits... if you have more than 2¹⁶ (65536) uses of your system, the probability of having a duplicate nonce in that time is more than 2^-32 (more than 1 in 4 billion, short scale). This might be quite acceptable, depending on your security requirements, or it might not be.

As a one size fits all answer - the random UUIDs mentioned are a pretty okay solution.

Do note that these values are approximations, and the more accurate calculations are much more complex.