URL Parser

Fix URL input

{{ message }}

Ignored {{ ignoredExtraLines }} extra line(s). This parser evaluates only the first non-empty URL.

URL or query string:

Example: https://user:token@example.com:8443/api/v1/orders?status=paid&tag=a&tag=b#summary.

Input handling:

Choose how ambiguous pasted text should be interpreted before parsing.

Query values:

Decoded is best for reading API filters; raw is best when verifying percent encoding.

Sensitive values:

Keep masked for support tickets; reveal only when you need exact local evidence.

Parsing updates locally as the URL, handling mode, or query display changes.

Duplicate query keys:

Preserve is the standard browser behavior; keep first or last only when duplicates are accidental.

Token-like query keys:

Use short fragments such as token, secret, password, key, auth, signature, session, jwt.

Sort rebuilt query keys:

Off preserves pasted order for debugging; on makes review URLs easier to compare.

Drop fragment in review URL:

Turn on when sharing a server-side request URL where the fragment never reaches the server.

Show empty query values:

Leave on for API debugging because empty keys can carry meaning.

Component	Value	Detail	Copy
{{ row.component }}	{{ row.value }}	{{ row.detail }}

Index	Key	Value	Occurrence	Form	State	Copy
{{ row.index }}	{{ row.key }}	{{ row.value }}	{{ row.occurrence }}	{{ row.form }}	{{ row.state }}

Signal	Status	Detail	Copy
{{ row.signal }}	{{ row.status }}	{{ row.detail }}

{{ reviewUrlText }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A URL often arrives as one long string, but it can contain several separate decisions: which URL family is being used, which host receives the request, whether credentials are embedded, which path is selected, which query parameters travel with it, and what fragment stays in the browser. Treating the whole string as a single address can hide the part that is actually causing a redirect, API mismatch, tracking leak, or support-ticket risk.

Safe link review usually starts before opening the link. A copied address may contain a signed download token, a private hostname, a misleading user-info section, a long tracking tail, a duplicate query key, or encoded delimiters that look harmless until decoded. Splitting the text into scheme, authority, path, query, and fragment gives a more reliable way to inspect the evidence without sending a request.

URL components and common review questions
URL part	Review question	Common mistake
Scheme	Which protocol or URL family is being used?	Assuming every parsed address is a normal HTTP request.
Authority	Are credentials, host, or an explicit port present?	Reading the last domain-looking text as the only destination clue.
Path	Which route or resource follows the host?	Mixing path text with encoded query delimiters.
Query	Which keys, duplicates, blank values, and token-like values are present?	Assuming duplicate keys are interpreted the same way by every server.
Fragment	What browser-side anchor or client state follows the hash mark?	Treating the fragment like an ordinary server parameter.

The host is important, but it is not the whole URL.

Query strings need special care because their rules are partly conventional. A key can appear more than once, a blank value can be meaningful, a valueless key can still be sent, and a plus sign may be decoded as a space in form-style parsing. Percent-encoded delimiters such as %26 and %3D can also hide what would otherwise look like extra separators.

A clean parse is evidence, not a safety verdict. A well-formed URL can still point to a phishing site, a private admin path, a signed object, or an application route that only works in one environment.

How to Use This Tool:

Use the parser as a local review workspace for one address or query string at a time.

Paste a full URL, host-like value, or query string into URL or query string. If several lines are pasted, only the first non-empty line is parsed and an ignored-lines warning appears.
Choose Input handling. Lenient URL adds a default secure web scheme to host-like text, Strict absolute URL rejects missing schemes, and Query string only parses parameters without scheme, host, path, or fragment rows.
Set Query values to decoded for reading, raw for percent-encoding review, or both when readable values and original encoded text need comparison.
Keep Sensitive values set to mask before sharing output. Adjust Token-like query keys when local conventions require extra key fragments to be hidden.
Use Advanced controls when rebuilding a review URL. Duplicate query keys, Sort rebuilt query keys, Drop fragment in review URL, and Show empty query values change the review copy rather than the original input.
Read URL Component Ledger, Query Parameter Ledger, and Inspection Notes before copying Rebuilt URL Text. Fix parse errors, decode issues, risky schemes, unexpected duplicates, or masking concerns before sharing the result.

Interpreting Results:

Start with scheme, hostname, host, port, and origin. These fields carry destination evidence that affects redirects, same-origin assumptions, public versus private environment mistakes, and whether a link behaves like a normal HTTP or HTTPS request.

The host-label row is only a simple split of the hostname. It does not infer public suffix ownership, domain registration, reputation, or whether a lookalike domain is safe.

Use Query Parameter Ledger to inspect duplicate keys, empty values, valueless keys, masked sensitive values, and decode notes before trusting a rebuilt URL.
Use Inspection Notes for the false-confidence checks: risky scheme, visible credentials, duplicate query rows, invalid percent encoding, encoded delimiters, fragment handling, and long URLs.
Use Rebuilt URL Text as a review artifact. Sorting keys, dropping fragments, masking values, or keeping only one duplicate can change how another system interprets the address.
A clean parse does not prove reachability, authorization, safety, or exact equivalence with a server framework, reverse proxy, browser extension, or application router.

Technical Details:

Modern browser URL parsing follows the living URL model, while many documents and server tools still use URI vocabulary from RFC 3986. The practical result is that spaces, percent-encoded bytes, host parsing, query encoding, and special schemes can differ across environments. A review copy should keep both the normalized component view and any warning that changes interpretation.

Query parsing is separate from the base URL shape. The query text is split on &, each row is split on the first =, plus signs are treated as spaces for form-style decoding, and invalid percent encoding falls back to the raw text with a review note. Duplicate keys remain visible even when the rebuilt URL policy keeps only the first or last occurrence.

Transformation Core:

URL parser transformation core
Stage	Behavior	Review meaning
Input selection	The first non-empty line is used; later lines are ignored with a warning.	Multi-line pastes should be trimmed to the one address being reviewed.
Mode handling	Lenient mode adds a default secure web scheme to host-like text, strict mode requires an absolute URL, and query-only mode skips URL components.	The selected mode controls whether a missing scheme is a convenience case or an error.
Component ledger	Scheme, username, password, hostname, host, port, origin, path, search, fragment, and review URL are separated.	Destination and credential clues can be inspected without opening the link.
Query ledger	Each query row records key, value, occurrence count, form, kept or dropped state, masking, duplicate status, and decode issues.	Repeated keys and encoded delimiters stay visible instead of being hidden inside a long string.
Review URL	The rebuilt text follows the duplicate, sorting, fragment, empty-value, and masking policies selected by the user.	The rebuilt text is a controlled review artifact, not proof that the destination application will read the request the same way.

Query Rule Core:

Query parsing and rebuild rules
Rule	Applied behavior	Boundary to verify
Decoded, raw, or both values	Decoded values are easier to read, raw values preserve encoded evidence, and both mode shows the readable value with raw text when they differ.	Use raw or both when percent encoding is the suspected problem.
Sensitive masking	Embedded credentials and token-like query keys are masked when the sensitive policy is set to mask.	The default token fragments include values such as `token`, `secret`, `password`, `key`, `auth`, `signature`, `session`, `jwt`, and common click IDs.
Duplicate policy	The ledger keeps every parsed occurrence, while the rebuilt URL can preserve all, keep first, or keep last.	Changing duplicate policy can change request meaning for APIs that accept repeated keys.
Empty parameters	Valueless and empty-value rows are shown by default and can be hidden from the ledger and rebuilt URL.	Leave them visible when an API distinguishes `?flag`, `?flag=`, and a missing key.
Fragment handling	The fragment remains in component evidence and can be dropped only from the rebuilt review URL.	Drop it for server-request review, but keep it when browser-side navigation or client state matters.

Length and Threshold Core:

The length profile counts characters in the parsed target and in the main URL parts. The inspection notes flag a normalized parse target longer than 2000 characters for review.

L = characters in normalized parse target

URL inspection signals and thresholds
Signal	Flagged condition	Why it matters
Scheme family	`javascript:`, `data:`, `vbscript:`, `file:`, `blob:`, or another non-HTTP scheme.	Opening or sharing the link can have executable, embedded, or context-specific behavior.
Sensitive values	Credentials or token-like query keys are present.	Visible output can leak passwords, signatures, sessions, tracking IDs, or auth tokens if masking is disabled.
Duplicate keys	The same decoded query key appears more than once.	Applications may keep the first value, keep the last value, or use every occurrence.
Decode issues	A key or value cannot be decoded cleanly, or encoded `&` or `=` characters are detected.	The readable value may not match the raw request-like text.
Length check	`L > 2000` characters.	Long URLs can fail in some clients, logs, proxies, or copy-paste workflows.

The host-label split is intentionally simple. It separates labels around dots, but it does not perform a public-suffix lookup, DNS lookup, reputation lookup, HTTP request, or availability check.

Privacy Notes:

Parsing happens locally in the browser. The result can still be sensitive if the pasted text contains credentials, signed URLs, session IDs, tracking identifiers, private hostnames, or internal paths.

Leave masking enabled before copying output into support tickets, issue trackers, chat, screenshots, CSV, DOCX, or JSON.
Revealing sensitive values makes them visible in copied tables, downloads, and rebuilt review text.
The parser does not contact the destination URL, fetch DNS, check reputation, or validate whether the address is reachable.

Worked Examples:

Strict Review of a Missing Scheme

Pasting example.com/pricing?plan=team in Strict absolute URL mode returns an input error because a web scheme is required. Switch to Lenient URL when the missing scheme is not the issue, or keep strict mode to document why the pasted text is incomplete.

Tracking Link Cleanup

A link with utm_source, gclid, and repeated plan keys should be reviewed with masking on. Check Query Parameter Ledger before using Rebuilt URL Text, especially if sorting or duplicate-key policy changes the review copy.

Query-Only Debugging

Pasting ?status=paid&tag=a&tag=b&token=abc123 in Query string only mode produces query rows without host or origin rows. Duplicate tag values stay visible, and the token-like value is masked when the sensitive policy remains on.

Encoded Delimiter Review

A value such as redirect=https%3A%2F%2Fexample.com%2Fpay%3Fref%3Da%2526b%253D2 can contain encoded separators inside a single parameter. Use Query values set to both so readable and raw evidence stay side by side, then check Inspection Notes for encoded delimiter signals before rebuilding the URL.

FAQ:

Does a successful parse mean the link is safe?

No. A successful parse means the input can be separated into URL or query parts. Check scheme, hostname, credentials, query rows, and inspection notes before opening or sharing the link.

Why did strict mode reject my link?

Strict handling requires an absolute URL with a scheme. Add the scheme, switch to lenient handling for host-like text, or use query-only handling for pasted parameters.

Why are some values shown as masked?

Masking hides embedded credentials and query keys that look like tokens, secrets, passwords, signatures, sessions, or common tracking identifiers. Revealing values is local, but copied or downloaded output may then contain secrets.

Can duplicate query keys change a request?

Yes. Some systems read the first value, some read the last value, and some use every occurrence. The query ledger keeps each parsed row; the duplicate-key policy changes only the rebuilt review URL.

Why does the fragment matter if servers usually do not receive it?

Fragments can still change browser navigation or client-side application state. Keep the fragment when reviewing a shareable browser link, or drop it from Rebuilt URL Text when the review is only about the server request.

Why did only one pasted URL parse?

The parser evaluates the first non-empty line only. Use Trim to first URL or paste one address at a time when a multi-line support note includes several candidates.

Glossary:

Scheme: The protocol or URL-family label before the colon, such as https.
Authority: The part after // that can contain user information, hostname, and port.
Origin: The scheme, host, and port value used for same-origin comparisons.
Query string: The ? part that carries parameters such as filters, pagination, tokens, or tracking values.
Fragment: The # part used as a client-side secondary reference.
Percent encoding: A way to represent reserved or non-ASCII characters with percent-prefixed byte values.
Duplicate query key: A query key that appears more than once in the same query string.
Review URL: A rebuilt copy that follows the selected masking, duplicate, sorting, empty-value, and fragment policies.

References:

URL Standard, WHATWG, last updated 1 June 2026.
RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, RFC Editor, January 2005.
URL, MDN Web Docs.
URLSearchParams, MDN Web Docs.
Information exposure through query strings in URL, OWASP Foundation.
How to get a hostname from a URL in Python, Simplified Guide.