Everything runs in your browser. No data is sent to any server.

URL Anatomy is a privacy-first URL analyzer and debugger for developers, marketers, and data teams. Paste any URL, cURL, or JSON to instantly break it down into readable parts in your browser. Learn more

URL Anatomy is a privacy-first URL analyzer and request debugger. Paste a URL, cURL command, or raw JSON payload to decode protocols, hosts, paths, query parameters, headers, JWTs, timestamps, and more — all client-side, without sending data to any server. Use it to debug API calls, understand tracking parameters, clean messy URLs for SEO, and safely inspect tokens in your browser. Learn more

Documentation, guides & FAQ

Keep the top of the page focused on the input and results. If you want the long-form explanation (for SEO/ADS and for users who want details), scroll down.

Learn page

How URL Anatomy works

Copy a URL, cURL command, or JSON payload from your browser, logs, or API client.
Paste it into the input above. The tool automatically detects the format.
Review the decoded structure: protocol, host, path segments, query parameters, headers, and body.
Edit any path segment, query parameter, header, or JSON field directly in the table views.
Copy the updated URL or cURL command back into your workflow when you are done.

For a deeper explanation of JWT debugging, timestamp conversion, and security checks, visit the Learn page.

Quick answers

Is my data sent anywhere?

No. All decoding and analysis runs in your browser. We do not send, store, or log the URLs, tokens, or JSON payloads that you paste into the tool.

Who is this tool for?

URL Anatomy is built for developers, SREs, security engineers, analysts, and marketers who work with complex URLs, redirects, tracking parameters, and API requests.

What you can do with URL Anatomy

Decode and inspect full URLs

Paste any URL to see a structured breakdown of its protocol, host, path, query string, and fragment. Quickly copy a clean version of your link without unnecessary query parameters or tracking tags.

Analyze cURL commands for APIs

Drop in a complete cURL command to automatically extract the HTTP method, endpoint URL, headers, and JSON payload. Edit any part of the request and copy back a valid command for your API debugging workflow.

Inspect and beautify JSON payloads

Format and explore raw JSON from API responses, webhooks, or logs. Highlight keys and values to quickly understand nested structures and spot issues in your data.

Detect and decode JWTs and timestamps

Automatically detect JSON Web Tokens (JWTs) and common timestamp formats embedded in URLs, headers, or JSON bodies. Decode them locally in your browser to understand what data is being passed around.

Clean tracking parameters and UTM tags

Separate marketing and analytics parameters like UTM tags, gclid, and fbclid from essential query parameters. Generate a clean, shareable URL that is easier to read, better for SEO, and more privacy-friendly.

Debug URLs for SEO, analytics, and security

Use URL Anatomy as a URL debugger to see exactly how your links are constructed. Catch broken query strings, duplicated parameters, and incorrect encodings that can affect analytics accuracy, user experience, and search performance.

Explore our guides

How to decode JWT securely Understanding URL tracking parameters Timestamp converter & URL decoder

Technical Documentation & FAQ

Introduction: Client-Side Privacy

URL Anatomy is built on a client-side privacy model: all parsing, decoding, and analysis run entirely in your browser. No URL, cURL, JSON, JWT, or pasted payload is sent to our servers or any third party. This design choice has direct implications for security and compliance.

Traditional server-side decoders (e.g. many "JWT debugger" or "URL parser" tools) send the input to a backend, where it may be logged, stored, or processed for analytics. That creates exposure: sensitive tokens, API keys in query params, or PII can leak. By contrast, a client-side implementation keeps the data on the device. The only network requests are for static assets (HTML, JS, CSS) and optional ads; the actual user content never leaves the user agent.

For developers handling production JWTs, staging URLs with credentials, or links containing tracking parameters, this means you can safely paste and inspect without trusting a remote service. The tool works offline after the initial load, reinforcing that no live server dependency is required for core functionality.

What you can paste: URL, cURL, or JSON

The input accepts three types of content. URLs are parsed into protocol, host, path, and query; each parameter is decoded and analyzed (JWT, timestamps, UUIDs, tracking params, etc.). cURL commands are recognized automatically: we extract the URL, HTTP method, headers (e.g. Authorization decoded when possible), and request body. Raw JSON (e.g. a request body) opens the same structured view as a cURL payload: formatted JSON, detected fields, and per-field edit/copy/generate.

All processing stays in your browser. Use one input for URLs, API snippets, or JSON payloads—no switching tools.

URL Anatomy: Protocol, Host, Path, Query & Fragment

Structure overview

A URL is parsed into well-defined components. The scheme (e.g. https:) defines the protocol. The host (authority) includes the domain and optional port (e.g. :443). Omitting the port uses the default for the scheme (443 for HTTPS, 80 for HTTP).

The path is the hierarchical part after the host, e.g. /api/v1/users. Path segments are often used for routing and resource IDs. The query string (after ?) holds key-value pairs (e.g. ?utm_source=google). Values must be percent-encoded when they contain reserved characters. The fragment (after #) is client-only and is not sent to the server in HTTP requests; it is commonly used for in-page anchors or client-side routing.

Understanding this anatomy is essential for debugging redirects, building correct query params, and avoiding security issues (e.g. open redirects or sensitive data in query strings). This tool surfaces each component so you can verify encoding, detect tracking parameters, and validate structure.

Deep Dive: JWT Structure (Header.Payload.Signature)

Three parts

A JSON Web Token is composed of three Base64url-encoded segments separated by dots: Header.Payload.Signature. The header typically contains alg (e.g. HS256, RS256) and typ (JWT). The payload holds claims (e.g. sub, exp, custom data). The signature is computed over Header.Payload using the algorithm and secret or public key.

Decoding the payload (Base64url decode then JSON parse) is not a security operation: anyone can do it. JWTs are designed to be readable; integrity and authenticity are guaranteed by the signature. Verifying the signature requires the secret (symmetric) or the correct public key (asymmetric). Without that key, you cannot confirm that the token was issued by a trusted party or that it was not tampered with. Therefore: decoding here is safe and useful for inspection and debugging; it does not imply that the token is valid. Always verify signatures in your backend before trusting any claim.

Be cautious with tokens in URLs (e.g. in query params or fragments). They can be logged in server access logs, stored in browser history, or leaked via Referer. Prefer sending JWTs in headers (e.g. Authorization: Bearer <token>) in production.

Security Analysis: XSS, Open Redirects & Sensitive Params

Risks in URLs

XSS (Cross-Site Scripting): If a URL or its components (e.g. query params, fragment) are reflected into the page without proper encoding, an attacker can inject scripts. For example, ?q=<script>...</script> can execute if the value is written into the DOM as HTML. Defenses include strict output encoding (e.g. textContent, or safe HTML sanitization) and Content-Security-Policy.

Open redirects: A parameter like redirect= or url= that is used to send users to another URL can be abused if the target is not validated. Attackers can use your domain in phishing links (e.g. yoursite.com?redirect=https://evil.com). Always whitelist allowed redirect hosts or paths and reject any external or absolute URLs unless explicitly allowed.

Sensitive data in query params: Passwords, API keys, or tokens in query strings are dangerous: they appear in server logs, browser history, and Referer headers. Prefer POST bodies or secure headers for secrets, and never log or expose full URLs that contain credentials. This tool helps you spot such parameters so you can remove or refactor them.

Marketing & Tracking: UTMs, fbclid, gclid

Tracking parameters

UTM parameters (utm_source, utm_medium, utm_campaign, etc.) are used for campaign attribution. They tell analytics tools where traffic came from. They are not inherently malicious but add noise and can be used for tracking. fbclid (Facebook) and gclid (Google Ads) are click identifiers that enable ad platforms to attribute conversions; they also extend the URL and can be used for cross-site tracking.

Removing these parameters when sharing or bookmarking links reduces tracking surface, shortens the URL, and avoids leaking referral context to third parties. Many users prefer "clean" links for documentation, support tickets, or internal sharing. This tool detects common marketing and tracking params and can output a stripped URL for copying. Note: stripping tracking params may break some analytics or attribution flows if you rely on them; use consciously depending on your use case.

From a privacy perspective, minimizing the number of identifiers (including in URLs) aligns with principles of data minimization and gives users more control over what is shared when they forward or save a link.

FAQ

Is it safe to paste API keys or JWTs here?

Yes. All processing is done in your browser; nothing is sent to our servers. Your API keys, tokens, and URLs never leave your device. We do not log, store, or transmit the content you paste. For extra caution, use the tool in a private or incognito window and avoid pasting in shared screens.

Does this work offline?

After the first load, the core parsing and decoding logic works offline. Static assets are cached by the browser. Optional features that depend on network (e.g. third-party scripts or ads) may not work without connectivity. For local development or air-gapped environments, you can rely on the tool once the page has been loaded.

How does the tool handle URL encoding?

We decode percent-encoded sequences (e.g. %20 → space, %2F → /) in the URL for display and analysis, so you can see the intended values. When we show a "decoded" or "clean" URL, we are presenting a human-readable form; re-encoding may be required if you use the result in a request. For query parameters, we decode keys and values according to the application/x-www-form-urlencoded rules where applicable.

Can I paste a cURL or JSON body?

Yes. Paste a full cURL command and we parse URL, method, headers, and body; headers and payload use the same detectors as query params (e.g. Authorization decoded). Paste raw JSON and you get the same structured view: formatted display, detected fields, nested expansion, and edit/copy/generate. All in-browser.

Changelog

May 29, 2026

Fixed

JSON payload analysis no longer crashes with "URI malformed" when field values contain invalid percent-encoding (e.g. binary or document excerpts pasted inside JSON strings).

May 25, 2026

Fixed

Base64 detection: large replay-style query parameters now preserve literal plus signs and accept URL-safe/unpadded Base64 instead of falling back to URI.

May 21, 2026

Changed

Payload editor: compact timed intro notice beside the Structure sample control when viewing reduced JSON; hover the control or use the info button for details afterward.

Fixed

JSON vs URL detection: JSON pasted in the main input (including SQL-wrapped export blobs) is analyzed as JSON instead of being coerced into a URL; record arrays and stringified nested JSON are unwrapped for display.

May 5, 2026

Added

Payload editor: optional "Structure sample" view that collapses multi-element arrays recursively to a single representative item for lighter copy-paste (e.g. for LLMs) while keeping the full JSON when the option is off.
Home: an inline analyzing state below the main input while debounced analysis runs, with motion and styling aligned to the rest of the UI.

Changed

Payload editor: "Structure sample" is enabled by default for JSON that can be collapsed.
Payload editor: detected fields follow the structure sample when it is on, and show a short loading overlay while the full field list is reconciled after turning the sample off.

March 18, 2026

Added

Payload editor: added a JSON fullscreen viewer with line numbers and type-aware highlighting.
Payload editor: added a popup action to "Use this URL as input" when a field contains a valid URL.

Changed

Home page: reorganized documentation/FAQ below the input/results with clearer session separation while keeping SEO text always available.

March 16, 2026

Added

Expanded Learn page content with detailed guides on how to use URL Anatomy, JWT debugging, timestamp conversion, and URL security reviews.
New How it works and Quick answers sections on the home page to explain the tool, privacy model, and target audience in more detail.

Changed

Improved copy and semantic structure on Learn and Home to provide higher-value, English-first documentation for users and search engines.