URL Encode At Sign (@)

The at sign (@) has a special meaning in URLs: it separates the userinfo component (username and optional password) from the host. For example, in ftp://user:pass@host.com, the @ tells the parser where credentials end and the hostname begins. When @ appears as data in other parts of a URL, it must be encoded as %40.

Percent-encoded form: %40 represents the at sign (ASCII code 64, hexadecimal 0x40).

Where @ has special meaning: According to RFC 3986, the @ sign is reserved for the authority component of a URL: scheme://userinfo@host:port/path. Outside of this specific position, an unencoded @ in a URL can confuse parsers about where the host portion begins.

JavaScript behavior:

encodeURIComponent("user@example.com") // "user%40example.com"
encodeURI("user@example.com")          // "user@example.com" (preserves @)

// Passing an email as a query parameter
const email = "user@example.com";
const url = `/api/invite?email=${encodeURIComponent(email)}`;
// "/api/invite?email=user%40example.com"

Common scenarios where encoding is needed:

• Email addresses in query parameters (the most frequent case)
• Twitter/social media handles in URL parameters (e.g., @username)
• Scoped npm package names like @angular/core in registry URLs
• Mailto links embedded as parameter values

Email addresses in paths: Some APIs use email addresses as resource identifiers in paths, like /users/user@example.com/settings. While this works in many implementations, it is technically ambiguous. The safer approach is to encode it: /users/user%40example.com/settings. Alternatively, some APIs accept the email as a query parameter instead.

Pitfall: When constructing URLs for APIs that use email-based lookups, failing to encode @ can cause the URL parser to interpret everything before @ as credentials. For example, https://api.example.com/lookup/admin@company.com might be parsed as a request to company.com with username admin and host derived from the rest. Always encode @ when it appears in path segments or parameter values.