URL Parser and Analyzer | Query Parameters and Relative URLs

ConverterRuns in Your Browser (No Uploads)

Parse one absolute URL or resolve a URL reference against an explicit base. Inspect the browser-normalized URL, origin, credentials, host, effective port, path segments, ordered query entries, duplicate keys, plus-sign behavior, and fragment.

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

How to Use This Tool

Choose Absolute URL when the input includes a scheme, or Reference + base for a relative path, query, or fragment.

In reference mode, enter the exact HTTP or HTTPS base that the application uses before pasting the reference.

Leave credential masking enabled unless you deliberately need credentials in copied or downloaded output.

Run the parser and compare the original input with the normalized URL before using it for signatures, redirects, or cache keys.

Review raw and decoded path, query, and fragment values; inspect repeated keys, empty entries, plus signs, and malformed percent escapes.

Copy the component you need or download the complete text report, then verify reachability, ownership, server behavior, and safety separately.

When to Use This Tool

OAuth and SSO callback debugging

Separate callback origin, path, ordered state values, nested return targets, and fragment data before changing an OAuth or SSO redirect configuration.

Campaign and analytics query inspection

Compare raw UTM, affiliate, search, and filter entries with decoded values while retaining repeated keys and their original order.

Relative link and routing diagnosis

Resolve ../api, /assets, ?page=2, or #section against the exact deployment base to reproduce browser routing behavior.

Endpoint and proxy configuration review

See host type, normalized IDN hostname, explicit and effective port, user information, origin, and non-HTTP scheme differences in logs or configuration.

Malformed URL evidence collection

Identify empty separators, malformed escapes, invalid UTF-8, form-plus conversion, duplicate keys, and fragments before handing one component to an encoder or query editor.

Common Mistakes

Treating a relative reference as an absolute URL

Absolute mode requires a scheme. Use Reference + base for /docs, ../api, ?page=2, or #section so resolution happens against a base you can see and verify.

Assuming normalized output is byte-for-byte original input

The browser can lowercase a hostname, add a root slash, serialize Unicode as percent escapes or Punycode, and remove an explicit default port. Keep the original when signatures, cache keys, or exact log comparison matter.

Reading every plus sign as a literal plus

Query parsing follows form rules, so raw + becomes a decoded space while %2B becomes a literal plus. Compare the raw entry and decoded value before editing search terms or signatures.

Collapsing repeated query keys into one value

Duplicate keys can be ordered lists, overrides, or mistakes depending on the receiving framework. The parser preserves their order but cannot decide which value the server will use.

Treating result masking as secret removal

Masking user information protects cards, copy, and download output, but the original input remains visible in the input field. Remove passwords, tokens, and personal data before sharing screenshots or reports.

Examples

Inspect URL normalization and duplicate keys

The browser serialization lowercases the scheme and hostname and removes the explicit HTTPS default port while preserving path, query order, and fragment.

Input
HTTPS://EXAMPLE.COM:443/a%20b?tag=one&tag=two#review
Output
https://example.com/a%20b?tag=one&tag=two#review

Review credentials, IDN host, and plus semantics

The result masks serialized credentials and converts the internationalized hostname to its ASCII form without opening or checking the destination.

Input
https://user:secret@例え.テスト:8443/docs?q=C%2B%2B+URL
Output
https://[REDACTED]@xn--r8jz45g.xn--zckzah:8443/docs?q=C%2B%2B+URL

Browser URL serialization, decoded views, and trust boundaries

The parser uses the platform URL implementation. That parser serializes a normalized href: schemes and hostnames may be lowercased, Unicode hostnames become ASCII Punycode, some characters become percent escapes, a missing root path may become /, and explicit default ports can disappear.

Absolute mode requires a scheme. Reference mode calls the same URL algorithm with one explicit HTTP or HTTPS base, so /path replaces the base path, ../ moves one level, ?query keeps the base path, and an already absolute input ignores the base.

Path segments, query entries, and the fragment retain a raw serialized form. Separate decoded views never replace the normalized URL. Query values use application/x-www-form-urlencoded behavior through URLSearchParams, including raw + to space and %2B to plus.

Malformed percent syntax and percent bytes that are not valid UTF-8 are reported instead of being presented as clean decoding. Empty ampersand segments, empty keys, empty values, missing equals signs, repeated decoded keys, and empty path segments remain observable.

The parser does not make a network request. Credential masking affects result serialization only, operational analytics contain aggregate counts rather than URL text, and successful syntax parsing is not a security, reputation, DNS, TLS, redirect, or availability check.

Frequently Asked Questions

Can the parser handle relative URLs?

Absolute mode requires a scheme such as https:. Reference + base accepts references such as /path, ../path, ?query, or #fragment and resolves them against one explicit HTTP or HTTPS base URL.

Does parsing change or decode the URL?

The normalized URL and raw path, query, and fragment remain visible. Path segments and fragments are decoded separately. Query entries show both raw text and URLSearchParams-style decoded keys and values, where + means space.

Are duplicate query parameters overwritten?

No. Repeated decoded keys remain separate and in source order. The report lists every entry number and summarizes duplicate keys because server frameworks can apply different first, last, or list behavior.

How are credentials and secrets handled?

Masking is on by default for serialized usernames and passwords in result cards, copy, and download text. It does not hide the original input field or automatically identify tokens inside query values.

Does a successful parse prove that a URL is safe or reachable?

No. The tool uses the browser URL parser locally and never navigates to the destination. A syntactically parsed URL can still be unreachable, deceptive, malicious, expired, or unsafe to visit.

What size and output limits apply?

Input is limited to 262,144 Unicode characters and 524,288 UTF-8 bytes. A result can contain at most 1,000 path segments and 1,000 non-empty query entries so a pasted URL cannot create unbounded output.

How This Tool Was Verified

Maintained and tested by Reviewed

Method: To check “Normalize a callback while preserving a nested target and repeated state”, we used URL Parser and Analyzer with the guide's exact source data and applied “Compare input with browser normalization”. The output had to match the documented result; evidence for “Editing before capturing the original” and “Using normalized text as signature evidence” was reviewed before recording the check.

Expected result: The normalized callback lowercased the host, removed default HTTPS port 443, and retained the encoded nested target, both state values, and #complete fragment.

Sources and standards

Open the tested workflow

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Workflow guide

Analyze a Content-Security-Policy header before deployment

Use this workflow when a CSP blocks an expected resource, a candidate policy produces noisy reports, or a proxy changes the header you intended to ship. It combines local policy parsing with browser violation evidence and a final deployed-edge check, without treating static findings as a security certificate.

Workflow guide

Debug encoded query parameters without double-decoding them

Use this workflow when a callback, search link, webhook, or API request changes plus signs, repeated keys, JSON string escapes, or a nested return URL after more than one parser touches it.

Workflow guide

Fix broken URL query parameters

Use this workflow when a query string is present but the receiving app reads the wrong value, loses a parameter, or treats encoded text as literal data. The goal is to identify the broken layer before rebuilding the link, not to repeatedly encode the entire URL until it appears to work.

Workflow guide

Inspect HTTP response headers before debugging APIs

Use this workflow when a browser request, API response, redirect, or CDN cache behaves differently than expected and you need a bounded, redacted header-level record before editing configuration.

Workflow guide

Convert an international domain to Punycode for DNS checks

Use this workflow when an internationalized hostname appears as readable Unicode in one place and xn-- ASCII labels in another, and you need a precise comparison without confusing conversion with registration or security approval.

Workflow guide

Convert an HTML article to GFM Markdown and verify it before publishing

HTML-to-Markdown conversion can remove repetitive rewriting, but a publishable migration also needs content isolation, trust-boundary review, asset relocation, and a real destination preview. This workflow converts one article or documentation section, checks every removed or preserved structure, replaces unsafe links and interactive controls, moves images, and verifies the finished file with the renderer that will actually publish it.

Workflow guide

Create a QR Code for a Link That Scans Reliably

Use this workflow when a website, form, menu, event page, or support link must move from paper, packaging, a PDF, or a presentation into a phone without relying on a tracking or redirect service.

Workflow guide

Check the final response security headers before launch

Use this workflow to turn a curl -I or DevTools capture into repeatable release evidence. It checks the final response locally, separates enforced CSP from Report-Only monitoring, preserves deployment context, and ends with live verification plus the application checks that response headers cannot cover.

Workflow guide

Create URL slugs and preserve existing links

A slug generator can produce a consistent path-segment candidate, but it cannot own the route or protect a published address. This workflow records the target platform and current URLs, chooses an explicit Unicode or ASCII convention, reviews transliteration and encoded length, checks duplicates and reserved names in the real namespace, and treats redirects, canonical metadata, internal references, sitemap updates, monitoring, and rollback as required parts of any live URL change.

Workflow guide

Extract and convert timestamps from API logs

Use this workflow to turn a small, redacted log or payload sample into reviewable timestamp rows while preserving field names, source lines, exact epoch precision, and explicit unit decisions.

Workflow guide

Encode one URL query value without breaking the outer link

Use this workflow when data inside one query parameter contains spaces, ampersands, equals signs, Unicode, a plus sign, or another complete URL.

Workflow guide

Diagnose and recover one double-encoded query value

Use this workflow when a callback, webhook, proxy, SDK, or copied link contains `%252F`, `%2520`, `%253A`, or another sign that a percent sign was encoded again.

Workflow guide

Debug a callback URL without losing query order or encoding evidence

Use this workflow when an OAuth, SSO, webhook, campaign, or application callback looks correct in a browser but the receiving system reads another path or parameter value.

Related Tools

Continue with another maintained workflow

Browse All Tools