URL Encode Reserved Characters – Protect Webhooks from Injection
Encode reserved characters so payloads survive every layer of routing
No signup • Runs in browser • Free
Reserved characters like # cut off webhook payloads when forwarded through gateways. A # in a parameter value signals the start of the URL fragment — everything after it is stripped before the request reaches the destination server. The fix is encoding: # becomes %23, and every downstream router treats it as data rather than a URL structural character.
The twelve reserved characters defined by RFC 3986 — !, *, ', (, ), ;, :, @, &, =, +, $, ,, /, ?, #, [, ] — all have specific meanings in URL syntax. When any of them appears as data inside a parameter value, it must be percent-encoded before the value is added to the URL. A URL encoder handles this conversion for any input, regardless of which reserved characters it contains.
# Unencoded — # truncates the payload at the gateway
callback_data=order#12345&status=completed&sig=abc123
# Gateway sees: callback_data=order (everything after # is a fragment and stripped)
# After encoding the callback_data value
callback_data=order%2312345%26status%3Dcompleted%26sig%3Dabc123
# Gateway correctly forwards the entire value as a single parameter
Quick summary
- ✓Reserved characters have structural meaning in URLs — they must be encoded when used as data.
- ✓A single # in a parameter value truncates the URL at every proxy and browser that handles it.
- ✓Percent-encoding converts reserved characters to %XX sequences that are safe in any URL context.
- ✓DevToolBox tools run entirely in your browser — no signup.
What It Is
Percent-encoding reserved characters converts each reserved byte to a % followed by two uppercase hex digits representing its ASCII value. # becomes %23, & becomes %26, = becomes %3D. The encoded value contains only characters that are safe in any URL component — no structure is implied, and no router or proxy will interpret the value as URL syntax.
RFC 3986 divides URL characters into three categories: unreserved (safe anywhere, no encoding needed), reserved (structural meaning, must encode when used as data), and others (must always encode). Encoding all reserved characters in a parameter value produces a string that is unambiguous in every URL context.
Why Developers Use This
- Webhook payload forwarding. Payment and event platforms forward webhook data through URL parameters. If the payload contains order IDs, product names, or status strings with reserved characters, encoding prevents the gateway from truncating or misrouting the request.
- Building signed URLs. HMAC-signed URLs embed a signature as a query parameter. Signatures in Base64 standard encoding contain
+and/, which are reserved characters. Encoding them (or switching to URL-safe Base64) prevents the signature from being interpreted as URL structure. See our guide on URL encoding and decoding for a full explanation of which characters require encoding. - Passing structured data in query strings. APIs that accept JSON or key-value pairs as query parameters must encode every reserved character in the values to prevent parsers from splitting them at delimiter characters.
- Constructing deep link URLs. Mobile and web deep links often carry destination paths with
/characters as parameter values. Encoding the path ensures it is read as data rather than treated as additional path segments.
Common Reserved Character Errors
- Unencoded
#truncating the URL. The fragment identifier#causes every browser, proxy, and many server-side URL parsers to discard everything after it. If a parameter value contains#, encoding it is not optional. - Unencoded
&splitting parameter values. An&inside a value creates a phantom additional parameter. The receiving server parses it as the start of a newkey=valuepair, splitting what should be a single value into two broken pieces. - Double encoding after encoding. Running an already-encoded value through the encoder again converts
%to%25, producing%2523instead of%23. Check the source value before encoding to avoid applying the operation twice.
How to Use the URL Encoder
Using the DevToolBox URL Encoder to encode reserved characters in a value takes under a minute.
- Open the encoder in your browser. No account, no install.
- Paste the parameter value — just the value, not the
key=prefix or surrounding URL. - Select Encode mode.
- The output replaces every reserved and non-ASCII character with its
%XXsequence. - Embed the encoded value in your URL as
key=encoded-valueand test that the full URL routes correctly through your gateway.
DevToolBox tools run entirely in your browser — nothing you paste is transmitted to any server.
Frequently Asked Questions
Which characters are considered reserved in RFC 3986?
RFC 3986 defines the following as reserved: : / ? # [ ] @ ! $ & ' ( ) * + , ; =. These characters have structural roles in URL syntax. When any of them appears as data inside a component (such as a query parameter value), it must be percent-encoded.
Why does my webhook still fail after encoding the payload?
Check whether the gateway or proxy re-encodes the value when forwarding. Some gateways apply a second round of encoding, which double-encodes the already-encoded value. Inspect the raw request at the destination to see whether the value arrives with %25XX sequences (double-encoded) or %XX sequences (single-encoded).
Should I encode the slash in a URL path segment?
Only if the slash is data, not structure. A path like /orders/12345 has structural slashes — do not encode them. But if an order ID contains a slash (like order/batch/1) and you are passing it as a path segment value, encode the slash to %2F so the router does not interpret it as a path delimiter.
Conclusion
Reserved characters in parameter values are not a problem — until they are forwarded through a gateway that treats them as URL structure. Encoding them before adding to a URL is the only way to guarantee the value arrives intact at every layer of the HTTP stack. A single # in an order ID can silently truncate an entire webhook payload; encoding it takes one second.
If you need a fast URL encoder that handles all reserved and non-ASCII characters, DevToolBox does exactly that. DevToolBox tools run entirely in your browser — no signup, no install, nothing sent to a server.
Encode reserved characters and protect webhook payloads
Paste your value and get the fully encoded output — safe through every gateway and proxy. Free, no signup, browser-only.
Open URL Encoder →