Best practice to sending a URL in JSON response to API call?


We have a REST API endpoint that returns a bunch of external URLs for a
resource
The data is of the format:
{
"resource_data":{
"name":"Dummny Name",
"project_name":"Sinstein",
"logs":" [http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c/logs](http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c/logs)          ",
"public_url":" [http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c?auth_token=dummy_token](http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c?auth_token=dummy_token)          ",
"video_url":"[http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c/video-1b6575be8867bfda659b25789c216c268194b2f0.mp4?AWSAccessKeyId=dummyid](http://example.com/cdd921b88114158fd34ae54c2b828bb094dd128c/video-1b6575be8867bfda659b25789c216c268194b2f0.mp4?AWSAccessKeyId=dummyid)   \u0026Signature=dummysignature\u0026response-content-type=video%2Fmp4",
}
}
The URLs that are a part of the data are external URLs that point to where
the files are stored.
We generate a hash of this data in rails and return a JSON from the hash.
This causes the URLs to be encoded
<[https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4](https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4)>.
I can prevent the encoding using JSON::dump
<[https://stackoverflow.com/questions/5123993/json-encoding-wrongly-escaped-rails-3-ruby-1-9-2/14952985#14952985](https://stackoverflow.com/questions/5123993/json-encoding-wrongly-escaped-rails-3-ruby-1-9-2/14952985#14952985)
>
instead of relying on *to_json.*
The question that brings up is what is the best practice here? Should the
URLs be encoded when being returned in the body of the response? I
understand that allowing unescaped JSON data to pass around opens up
the possibility
of a security breach
<[https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4/17946022#17946022](https://stackoverflow.com/questions/17936318/why-does-to-json-escape-unicode-automatically-in-rails-4/17946022#17946022)
>
but
in this case, the data is generated by us and does not depend on the user
input.
Should we return unescaped valid URLs or let them be encoded when sending a
response?