Free URL Builder

Anatomy of a URL, component by component

The grammar that defines every URL on the web lives in RFC 3986 «Uniform Resource Identifier (URI): Generic Syntax» (Berners-Lee, Fielding, Masinter, January 2005). Browsers actually use a slightly more forgiving variant defined in the WHATWG URL Living Standard. Both agree on the components:

• Scheme: https, http, ftp, mailto, data, tel, sms, magnet, plus custom app schemes (myapp://). RFC 3986 requires lowercase; WHATWG canonicalises. The IANA URI Scheme registry has the official list of registered schemes.
• Authority: userinfo@host:port. The user:password@ embedded-credentials form is deprecated for security: Chrome 64 (January 2018) blocks subresource loads with credentials in the URL because they enabled phishing tricks.
• Host: a domain name or IP literal. Internationalised domain names like президент.рф are converted to ASCII via Punycode (RFC 3492, March 2003): that example becomes xn--d1abbgf6aiiy.xn--p1ai. Browsers do the conversion transparently for display.
• Port: only included when non-default for the scheme. Defaults: 80 (http), 443 (https), 21 (ftp), 22 (ssh), 25 (smtp), 5432 (postgres), 3306 (mysql), 6379 (redis).
• Path: slash-separated segments. Each segment percent-encodes anything outside the pchar set defined in RFC 3986 §3.3. The dot-segments . and .. have removal semantics (§5.2.4).
• Query: by convention key-value pairs separated by &, but RFC 3986 says only «opaque string after ?». The convention is formalised in the WHATWG application/x-www-form-urlencoded algorithm.
• Fragment: everything after #. Never sent to the server. Used by single-page-application routers, anchor links, and OAuth implicit-flow tokens.

Percent-encoding: the + versus %20 trap

RFC 3986 §2.3 defines the unreserved characters that never need encoding: A-Z a-z 0-9 - . _ ~. Everything else, when it appears as data inside a URL component, becomes %XX where XX is the byte's hex value. Multi-byte UTF-8 characters expand to multiple percent-triplets: é (U+00E9, UTF-8 C3 A9) encodes as %C3%A9. The classic gotcha is the space character: in a regular URL path or fragment, space encodes as %20; in form-encoded query strings (the application/x-www-form-urlencoded algorithm shared by HTML forms and the WHATWG query-string serialiser), space encodes as +. A server decoding form data converts + back to space; a server treating the query as a generic URI does not. Mixing the two conventions silently corrupts data. The safe pattern in JavaScript: use new URLSearchParams for queries and encodeURIComponent for individual values; the spec compliance is taken care of for you.

Where you actually need a URL builder

• UTM-tagged marketing links for Google Analytics (Urchin Tracking Module, in GA since 2005): the five canonical parameters are utm_source, utm_medium, utm_campaign, utm_content, utm_term, all lowercase per Google's own guidance.
• OAuth 2.0 authorisation requests (RFC 6749, October 2012): the spec mandates response_type, client_id, redirect_uri, scope, state as query parameters on the authorisation endpoint.
• Mobile deep links: an app:// scheme that the OS routes to your installed app instead of the browser, or an Android App Link / iOS Universal Link served from your domain.
• API client testing: https://api.example.com/v2/users?expand=projects&since=2024-01-01. Hand-typing these consistently fails at the «space inside a value» step.
• CDN cache busters: ?v=2026-05-12-1 appended to static-asset URLs so a deploy invalidates the cached version. The query string is part of the cache key.
• Image-transformation services (Cloudinary, imgix, Cloudflare Images): the transformation is encoded as query parameters or path segments. A typical call looks like ?w=800&q=85&fm=webp.
• Email templates where the landing page reads parameters via JS, often combining UTM tags with a unique token or uid for per-recipient tracking.

Common mistakes

• Forgetting to encode & inside a value. A value «cats & dogs» dropped into ?species=cats & dogs becomes a key species with value cats plus a stray empty key. Always pass through encodeURIComponent.
• Double-encoding. Calling encodeURIComponent on an already-encoded string turns %20 into %2520. Easy when a value passes through two systems that each «defensively encode».
• Trailing-slash mismatch. RFC 3986 says https://example.com/api and https://example.com/api/ are different resources. Most REST APIs treat them identically, but some return 308 redirects; pick one canonical form and document it.
• Mixing + and %20. Form-encoded query strings use + for space; generic percent-encoding uses %20. A path with literal + survives copy-paste but fails when a form-decoder reads it.
• Embedded credentials. https://user:pass@example.com is deprecated and blocked for subresource loads in Chrome 64+. Use the Authorization header.
• IDN spoofing. Cyrillic «а» (U+0430) is visually identical to Latin «a». Browsers display Punycode when a domain mixes scripts, but a manually-constructed URL pointing to аpple.com (Cyrillic а) opens a different site than apple.com. Use Punycode (xn--...) for safety, or stick to ASCII.
• Adding // after schemes that don't use it. mailto:, tel:, sms:, magnet: all skip the // and go straight to the path. mailto:user@example.com is correct; mailto://... is not.

More frequently asked questions

What is the maximum length of a URL?

RFC 3986 sets no limit. In practice: browsers cap at about 2,000 characters for the address bar (Internet Explorer 11 was 2,083; Chrome and Firefox tolerate longer but truncate display); most CDNs and proxies cap at 4,096 or 8,192; servers like Apache and Nginx default to 8,192 bytes for the request line. If you need more than 2,000 characters, switch to POST body.

Can I include the same query parameter multiple times?

Yes. ?tag=red&tag=blue&tag=green is valid. How the server interprets it depends on the framework: Express / Node.js parses to req.query.tag = ['red', 'blue', 'green']; PHP needs the bracket convention ?tag[]=red&tag[]=blue; Rails parses to an array if you use tag[] brackets. The URLSearchParams.getAll('tag') method always returns all values as an array regardless of bracket style.

Do query parameters affect SEO?

Tracking parameters (UTM, fbclid, gclid) generally do not affect organic search rankings. The risk is duplicate-content indexing: a tagged URL and its clean version look like two different pages to a crawler. The fix is a <link rel=\"canonical\" href=\"clean-url\"> tag pointing every tagged variant at the same canonical URL.

What is a URI Template, and should I use one?

RFC 6570 (March 2012) defines URI Templates: a syntax for parameterised URLs with placeholders. They're used in OpenAPI / Swagger specs, JSON Hyper-Schema, and some HATEOAS APIs. For everyday URL construction, plain string concatenation through this builder is simpler; URI Templates shine when documenting an API surface and generating client SDKs.

Is anything sent to a server?

No. Every component you type, the encoding, and the final URL are constructed in your browser's JavaScript. No network call is made to assemble the URL. Open the Network tab in DevTools and try the tool: you will see zero outgoing requests during construction.