How to use the URL Parser & Query Builder
Break any URL into its parts — scheme, host, port, path, query, fragment, plus userinfo and IDN handling — and edit the query parameters as a structured grid. Use it for debugging redirects, OAuth callbacks, signed URLs, UTM links, tracking parameters, and double-encoded redirects. Includes encoding diagnostics, OAuth callback inspector, and URL normalization / compare. Runs locally; URLs are never uploaded.
What it does
- Parses any URL into scheme, userinfo, host, port, path, query, fragment.
- Query parameters shown as an editable grid — add, remove, sort, edit, dedupe.
- Encoding diagnostics: detects double encoding (
%2520), percent / plus differences, embedded URLs.
- OAuth / Tokens view: highlights
code, state, id_token, access_token, nonce, PKCE-related params.
- Normalize / Compare: canonicalize a URL (lowercase host, default port, sorted query) and diff two URLs by component.
- Copy sanitized URL with secrets masked for safe sharing in tickets.
- Handles IDN (Unicode) hosts and Punycode conversion.
When to use it
- Inspect tracking parameters (
utm_source, gclid, fbclid) in a referral link.
- Debug an OAuth callback URL that's failing.
- Decode a redirect URL that has another URL embedded in a parameter.
- Compare two URLs to spot a small difference (extra param, different host, missing fragment).
- Audit a signed URL or pre-signed S3 link before sharing.
- Build a query string by hand for an integration test.
How to use it
- Paste the full URL — scheme-less URLs assume
https://.
- Review parsed host, path, and query params; edit values in the grid.
- Open Encoding Diagnostics if a value looks double-encoded or contains a nested URL.
- Open OAuth / Tokens for callback URLs to inspect
code, state, id_token.
- Use Normalize / Compare to canonicalize or diff two URLs by component.
- Rebuild and copy the URL, or use Copy sanitized URL to mask token-shaped values.
- For encoding only (no parsing), use the URL Encoder / Decoder.
Tips & pitfalls
- Fragments (after
#) are not sent to the server — useful (and often misused) in OAuth implicit flows.
- Sorting or removing parameters on a signed URL invalidates the signature — never modify pre-signed S3 / SAS links.
- + is decoded as a space in
application/x-www-form-urlencoded but as literal + in URL paths — semantics differ.
- Double-encoded values (
%2520) usually mean encoding was applied twice — decode twice to recover.
- Tokens in query strings can leak via referrer headers, server logs, and browser history — prefer headers or POST bodies for sensitive values.
- IDN hostnames may be displayed as Unicode but transmitted as Punycode (
xn--...).
FAQ
- How do I parse a URL online? Paste the URL — the tool breaks out every component and lets you edit query parameters in a grid.
- How do I read OAuth callback parameters? Paste the callback URL into the parser and open the OAuth / Tokens tab to see
code, state, etc.
- What is a double-encoded URL? A URL whose components were encoded twice —
%20 became %2520. Decode twice to recover.
- How do I dedupe or sort query parameters? The grid view has buttons for sort, dedupe, and remove. Rebuild and copy the result.
- Is my URL uploaded? No. Parsing runs in your browser.
- For encoding only, which tool should I use? The URL Encoder / Decoder handles percent-encoding without parsing the URL structure.
Runs locally in your browser. No uploads. Use Copy sanitized URL to mask tokens before pasting URLs into tickets or chat.
