May I ask why your client is hand typing the links? That’s probably the bigger question here.
The % symbols are the result of URL encoding:
QH%2FXj%2FfdSHYaB%2FburI8w%3D%3D
Decodes to…
QH/Xj/fdSHYaB/burI8w==
We don’t roll our own encryption, instead we use an established encryption algorithm that is widely adopted and tested across the web. I’m not aware of a specific encryption method that does not use symbols, although any method that uses a smaller character space is going to be inherently less secure.
But again, these links were never intended to be hand typed so it shouldn’t really be an issue.
This is already possible, you can enforce a rule that will require your client to enter their password before viewing the invoice. This setting can be found in the client settings screen.
