URL Encode Query Parameters – Keep SSO Callbacks Intact

Spaces and ampersands inside redirect parameters break SSO callback URLs. When a redirect_uri contains an unencoded &, the OAuth server reads it as a query string delimiter and splits the URL at that character — so redirect_uri=https://app.example.com/callback&session=abc becomes two separate parameters instead of one. Encoding every parameter value before adding it to a URL prevents the receiving server from misinterpreting the structure.

The rule is straightforward: any character that has structural meaning in a URL (&, =, #, ?, /, :) must be percent-encoded when it appears as data inside a parameter value. A URL encoder converts every non-unreserved character to its %XX hex representation, producing a value that is safe to embed in any query string position.

# Unencoded — breaks at the & character
redirect_uri=https://app.example.com/callback?session=abc&user=alice

# After encoding the redirect_uri value
redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback%3Fsession%3Dabc%26user%3Dalice

# The OAuth server now reads the full URL as a single parameter value
# and routes the callback correctly

What It Is

URL encoding (percent-encoding) converts characters that are either reserved in URL syntax or outside the ASCII printable range into a %XX hex representation. The encoded value is then safe to use as a query parameter value, regardless of what characters it originally contained.

RFC 3986 defines two categories: reserved characters (;, /, ?, :, @, &, =, +, $, ,) that have structural meaning in URLs and must be encoded when used as data, and unreserved characters (A–Z, a–z, 0–9, -, _, ., ~) that do not need encoding. Everything else — spaces, non-ASCII characters, punctuation — must also be encoded.

Why Developers Use This

• OAuth and SSO callback URLs. The redirect_uri parameter in OAuth flows often contains a full URL including its own query string. That inner URL must be encoded before being added to the outer authorization URL, or the OAuth server misparses the parameter boundaries.
• State and nonce parameters. OAuth state parameters carry CSRF tokens or session identifiers that may contain characters requiring encoding. Encoding the value before sending and decoding it after receiving confirms round-trip integrity.
• Embedding JSON in query strings. Some API designs pass JSON objects as query parameters. JSON contains characters ({, }, ", :, ,) that all require encoding. See our guide on URL encoding and decoding for a full explanation of which characters need encoding and why.
• Webhook and callback forwarding. When forwarding a callback URL through a gateway or proxy, the URL must be encoded so intermediate systems treat it as data rather than parsing its structure.

Common Query Parameter Encoding Errors

• Double encoding. Encoding an already-encoded value produces %2520 (where %25 is the encoded form of %). The receiver decodes once and gets a %20 instead of a space. Check whether the value is already encoded before encoding it again.
• Encoding the delimiter characters. Encoding the = between a parameter name and value, or the & between parameters, breaks the query string structure. Only encode the parameter values, not the delimiters between them.
• Using + for spaces in path segments. The + character encodes spaces in application/x-www-form-urlencoded format (HTML form bodies) but not in URL path segments or RFC 3986-compliant query strings. Use %20 for spaces in URLs to avoid ambiguity.

How to Use the URL Encoder

Using the DevToolBox URL Encoder to encode a query parameter value takes under a minute.

1. Open the encoder in your browser. No account, no install.
2. Paste the parameter value you want to encode — just the value, not the key= prefix.
3. Select Encode mode.
4. The output is the percent-encoded value — safe to include in any query string position.
5. Append it to your URL as key=encoded-value and verify the full URL parses correctly.

DevToolBox tools run entirely in your browser — nothing you paste is transmitted to any server.

Frequently Asked Questions

Conclusion

A single unencoded & or = inside a parameter value is enough to break an entire OAuth callback. Encoding the value before embedding it in the URL is a one-step fix that prevents the parser from misinterpreting the data as URL structure — and it prevents the class of SSO and redirect failures that are easy to miss during testing but surface immediately in production.

If you need a fast URL encoder that handles all reserved and non-ASCII characters, DevToolBox does exactly that. DevToolBox tools run entirely in your browser — no signup, no install, nothing sent to a server.