URL Encode Equals Sign (=)

The equals sign (=) is a reserved character in URLs that separates parameter keys from their values in query strings. When a literal equals sign appears inside a parameter value, it must be encoded as %3D to prevent the URL parser from misinterpreting the structure.

Percent-encoded form: %3D represents the equals sign (ASCII code 61, hexadecimal 0x3D). This tells the parser that the = is part of the data, not a key-value delimiter.

Where this matters most: Base64-encoded strings frequently end with one or two = padding characters. If you pass a Base64 string as a query parameter without encoding, the trailing = signs corrupt the parameter parsing.

For example, the Base64 string SGVsbG8= passed as /api?data=SGVsbG8= would be parsed as: key data with value SGVsbG8, followed by a malformed parameter. The correct form is /api?data=SGVsbG8%3D.

JavaScript behavior:

encodeURIComponent("SGVsbG8=")  // "SGVsbG8%3D"
encodeURI("data=SGVsbG8=")      // "data=SGVsbG8=" (does NOT encode =)

// URLSearchParams handles it automatically
const params = new URLSearchParams({ data: "SGVsbG8=" });
params.toString() // "data=SGVsbG8%3D"

Common scenarios:

• Passing Base64-encoded tokens or payloads as URL parameters
• Embedding mathematical expressions in URLs (e.g., equation=x=5)
• Forwarding URL fragments that contain their own key-value pairs
• OAuth and authentication flows where tokens may contain = padding

Pitfall: Many developers forget that Base64 output contains = characters. When embedding JWTs or API keys in URLs, always encode the value. Alternatively, use Base64url encoding (RFC 4648 Section 5), which replaces + with -, / with _, and strips = padding entirely, making values inherently URL-safe.