URL Safe Characters (Unreserved Characters)

RFC 3986 defines a set of "unreserved characters" that may appear in any part of a URL without percent encoding. These are the only characters that are universally safe in all URL components (scheme, host, path, query, fragment).

The unreserved characters:

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
a b c d e f g h i j k l m n o p q r s t u v w x y z
0 1 2 3 4 5 6 7 8 9
- _ . ~

That is: uppercase letters, lowercase letters, digits, hyphen, underscore, period, and tilde. Nothing else is universally safe.

JavaScript verification:

// These characters pass through encodeURIComponent unchanged:
encodeURIComponent("AZaz09-_.~") // "AZaz09-_.~"

// These common characters DO require encoding:
encodeURIComponent(" ")   // "%20"
encodeURIComponent("!")   // "!"  (exception: encodeURIComponent preserves ! ~ * ' ( ))
encodeURIComponent("/")   // "%2F"
encodeURIComponent("@")   // "%40"

Note about encodeURIComponent() exceptions: JavaScript's encodeURIComponent() does not encode ! ' ( ) * in addition to the unreserved set. These characters are safe in most contexts but are technically reserved sub-delimiters under RFC 3986. For strictest compliance (e.g., OAuth signature base strings), you may need to manually encode these as well.

Practical guidelines for URL-safe strings:

• Slugs and identifiers: Use only lowercase letters, digits, and hyphens (e.g., my-blog-post)
• File names in URLs: Replace spaces with hyphens, remove special characters
• API keys and tokens: Use Base64url encoding (A-Z, a-z, 0-9, -, _) for URL-safe tokens
• Query parameter values: Always encode unless you are certain the value contains only unreserved characters

Reserved characters that are safe in specific positions:

• / is safe in paths (as a separator) but must be encoded in parameter values
• ? is safe as the query string delimiter but must be encoded in parameter values
• # is safe as the fragment delimiter but must be encoded everywhere else
• & and = are safe as query parameter delimiters but must be encoded in values

Pitfall: Do not assume that a character is safe just because your browser displays it correctly in the address bar. Browsers perform their own encoding and decoding for display purposes. The only truly safe characters are the 66 unreserved characters listed above. When in doubt, encode it.