obfus.link

URL Parser splits any URL into protocol, host, port, path segments, query parameters, and hash fragment. Deep query mode decodes nested JWT tokens, base64 state values, URL-encoded redirects, and JSON strings recursively. Security flags catch credentials in query strings, open redirect risks, plain HTTP, and excessively long parameter values automatically.

Tier 2analyzers✓ TDD Verified

URL Parser

Parse any URL into components with deep query decoding and security analysis

How to use

  1. Paste URLEnter any URL in the input field — absolute URLs with protocol (https://) are required.
  2. Choose optionsEnable 'Decode percent-encoding' to see human-readable values. Enable 'Deep query parse' for OAuth URLs, JWT links, and complex redirect chains.
  3. Run parserClick Parse URL or press Ctrl+Enter. Components appear in labeled sections.
  4. Review security flagsCheck the security flags panel for credentials in query strings, open redirect risks, and HTTP warnings.
Read technical article

MCP / API

Call url_parser directly from any MCP-compatible agent:

// MCP TypeScript SDK
const result = await client.callTool({
  name: "url_parser",
  arguments: {
    "url": "...",
    "decode": false,
    "deepQueryParse": false
  }
});

// curl
curl -X POST https://obfus.link/mcp \
  -H "Authorization: Bearer <SPT>" \
  -H "Content-Type: application/json" \
  -d '{"method":"tools/call","params":{"name":"url_parser","arguments":{"url":"...","decode":false,"deepQueryParse":false}}}'

Related tools

JWT Hardener
Audit and harden JWT tokens with security scoring and diff output
Base64 Codec
Encode, decode, and identify base64 with auto-detection
Epoch Converter
Convert any date format to all others with multi-timezone output

FAQ

What does deep query parse detect?

JWT tokens (three base64url segments — header and payload are parsed to JSON), base64-encoded state parameters (decoded and identified), nested URL-encoded URLs (decoded to full URL string), and JSON strings embedded in query values.

Which security issues are flagged?

Credentials in query params (password, token, api_key, client_secret, etc.), open redirect risks where redirect_uri points to an external domain, excessively long parameter values, credentials in the URL userinfo component (user:pass@host), and plain HTTP (non-HTTPS) URLs.

Does it handle URLs with malformed percent-encoding?

Yes. Malformed percent sequences (like %ZZ) are handled gracefully — decoding falls back to the raw value rather than throwing an error.

What if the URL has no protocol?

A protocol is required for correct parsing. The tool returns valid:false for URLs without a protocol (e.g. "example.com/path"). Prepend https:// before calling the tool.

Can I use this tool via the MCP API?

Yes. The tool is registered on the obfus.link MCP server at https://obfus.link/mcp. Call it from any MCP-compatible agent with a Shared Payment Token. The MCP tool name matches the snake_case slug shown in the integration snippet.