Skip to content
Docs

Character Restrictions for API Contexts

Character Restrictions for API Contexts

ContextAllowed CharactersCharacters to AvoidNotes
Subdomainsa-z, 0-9, -A-Z (use lowercase), _, ., control chars (0–31, 127), spaces, /, ?, #, etc.DNS (RFC 1123) restricts to alphanumeric and hyphen. Max 63 chars per label.
URL Patha-z, 0-9, -, _, ., ~/, ?, #, [, ], @, !, $, &, ', (, ), *, +, ,, ;, =, control chars, spacesUnreserved chars need no encoding (RFC 3986). Avoid reserved chars.
Query Parametersa-z, 0-9, -, _, ., ~&, =, #, +, spaces, control charsReserved chars need encoding. Avoid ambiguity in key-value parsing.
Cookies (Key)a-z, 0-9, -, _=, ,, ;, spaces, control chars, .Dots may cause issues in some parsers. Avoid reserved cookie chars.
Cookies (Value)a-z, 0-9, -, _, .,, ;, spaces, control charsValues are more permissive but avoid separators and control chars.
Headersa-z, 0-9, -, _, .Control chars, spaces (at start/end), non-ASCIIHeaders are sensitive to whitespace and control chars (RFC 7230).
JSON Keysa-z, 0-9, -, _., spaces, control chars, quotes, backslashesDots may cause issues in some JSON parsers. Ensure proper escaping.
Database Fieldsa-z, 0-9, -, _, .Control chars, quotes (unless escaped), <, >Escaping required for SQL. Avoid chars that risk injection.
Account LabelsA-Z, a-z, 0-9, space, -, _, ., ,, ', :, !Control chars (0–31, 127), <, >, &, ", \Permissive for display but avoid XSS and parsing risks.

Notes

  • Account References: Use a-z, 0-9, - for maximum compatibility across subdomains, URLs, cookies, headers, and JSON keys.
  • Account Labels: Allow broader set for display but sanitize for React rendering and escape for JSON/SQL storage.
  • Length Limits: Subdomains ≤ 63 chars (per label), labels ≤ 255 chars, others depend on system (e.g., S3 key ≤ 1024 chars).
  • Case Sensitivity: Recommend lowercase for account references (DNS is case-insensitive). Labels can be case-sensitive.