URL Encoder & Decoder
Percent-encode URLs and query parameters or decode them back to plain text. All processing happens in your browser.
Frequently Asked Questions
% followed by two hex digits. For example, a space becomes %20 and & becomes %26. It ensures URLs are transmitted correctly over the internet.encodeURIComponent encodes everything except letters, digits, and - _ . ! ~ * ' ( ) — use it for query string values. encodeURI does not encode characters that form the URL structure (: / ? # [ ] @ ! $ & ' ( ) * + , ; =) — use it to encode a complete URL.% sign followed by two uppercase hexadecimal digits representing the byte value. For example, a space (byte 0x20) becomes %20, and # (byte 0x23) becomes %23. Multi-byte UTF-8 characters encode each byte separately: the euro sign € (UTF-8: E2 82 AC) becomes %E2%82%AC. The process is fully reversible — decoding replaces each %XX sequence with the corresponding byte.
A–Z, a–z), digits (0–9), and - _ . ~. Reserved characters (: / ? # [ ] @ ! $ & ' ( ) * + , ; =) have structural meaning in URLs — encode them in values but not when used as delimiters. Everything else — spaces, non-ASCII characters, and characters like % itself, <, >, ", {, |, \, ^, ` — must be percent-encoded.
+ sign as a space encoding comes from the application/x-www-form-urlencoded format (HTML form submissions), not from RFC 3986. In query strings submitted by HTML forms, browsers encode spaces as +. In strict URL encoding (RFC 3986), spaces must be encoded as %20. Most web servers and frameworks accept both in query strings, but in path segments only %20 is correct. When constructing URLs programmatically, always use %20 to avoid ambiguity.
& (e.g., name=John+Doe&age=30), with spaces encoded as + and other special characters percent-encoded. This format is also used in HTTP request bodies when POST-ing form data. It differs from multipart/form-data, which is used for file uploads and supports binary payloads. JavaScript's URLSearchParams API handles this format natively.
%20 becomes %2520 (the % itself gets encoded to %25). This breaks URL resolution and is a common source of "404 not found" errors for legitimate URLs and a known security bypass technique — some WAF and input filters decode once but application code decodes twice, allowing attackers to slip through blocked patterns. Always encode exactly once and decode exactly once at the entry point of your application.
urlencode($str) for query string values (spaces become +), rawurlencode($str) for RFC 3986 (spaces become %20). In Python: urllib.parse.quote(str) for path segments, urllib.parse.urlencode({'key': val}) for query strings. In JavaScript: encodeURIComponent(str) for individual values, new URLSearchParams(obj).toString() for full query strings. For constructing complete URLs, use platform URL builder APIs (URL in JS, urllib.parse.urlunsplit in Python) rather than manual string concatenation.
%C3%A9). Unicode in domain names (Internationalized Domain Names, IDN) is handled differently using Punycode — a way to encode Unicode labels as ASCII. For example, the domain münchen.de becomes xn--mnchen-3ya.de in DNS. Browsers display the Unicode form to users but always send the Punycode form to DNS servers.
%2F to / after the router has already parsed the path, allowing directory traversal. The rule is: decode once on input, encode once on output, and always validate after decoding.
About This URL Encoder / Decoder
This free URL encoder converts special characters in a string to their percent-encoded equivalents (e.g. space becomes %20, & becomes %26), and decodes percent-encoded strings back to plain text. Both full URL encoding and component encoding modes are supported.
URL encoding (percent encoding, defined in RFC 3986) is required when embedding arbitrary strings in a URL query parameter or path segment to prevent them from being misinterpreted as URL structure characters.
When to use this tool
- Encoding query parameter values that contain special characters
- Decoding URL-encoded strings from server logs or API responses
- Building URLs dynamically with user-supplied content
- Debugging redirect URLs with nested encoded parameters
Standards & References
How URL Encoding Works
Percent-encoding ensures every character in a URL can be safely transmitted over the internet regardless of the transport layer's character restrictions.
Scan Characters
Each character is checked against the RFC 3986 "unreserved" set: letters (A–Z, a–z), digits (0–9), and - _ . ~. All other characters require encoding.
Convert to UTF-8 Bytes
Each unsafe character is converted to its UTF-8 byte sequence. Non-ASCII characters like € expand to multiple bytes (e.g., 3 bytes for most European/Asian characters).
Percent-Encode Each Byte
Each byte is written as %XX where XX is the uppercase hexadecimal value. For example, a space (0x20) becomes %20 and & (0x26) becomes %26.
Common Use Cases
API Query String Building
When constructing API requests with dynamic parameter values, every value must be percent-encoded before appending to the URL. Missing this step causes broken requests when values contain &, =, or spaces.
OAuth Redirect URIs
OAuth 2.0 flows pass a redirect_uri as a query parameter. The URI must be fully percent-encoded before embedding, otherwise the OAuth server may reject or misparse it.
HTML Form Submissions
Browsers automatically encode form values, but when building forms programmatically with JavaScript or constructing application/x-www-form-urlencoded bodies manually, you must encode each value.
Deep Links with Parameters
Mobile app deep links and share URLs often embed titles, descriptions, or full URLs as parameters. Encoding these prevents the nested URL from breaking the outer URL's structure.
Decoding Encoded URLs
Log files and analytics platforms often display percent-encoded URLs. Use this decoder to convert %2F, %3D, and other sequences back to human-readable text for quick inspection.
Internationalized Domain Names
URLs containing non-ASCII characters (Arabic, Chinese, accented Latin) must be percent-encoded in the path and query. This tool helps verify the correct encoding before embedding in links.
Related Developer Tools
Related Articles
View all articles
URL Design as API Design: REST Conventions, Versioning Strategies, and the Long-Term Cost of Changing URLs
REST URL conventions, API versioning strategies (URL path vs header vs date-based like Stripe), trailing slash canonicalization, URL length limits, and the link rot problem — URL design decisions made at launch determine API maintainability for years.
URL Structure: Query String Parsing Ambiguities, Punycode, and Open Redirect Vulnerabilities
A URL has five components — and bugs come from confusing which part you're encoding. Here's query string parsing ambiguities between frameworks, IDN Punycode for international domains, URL normalisation for comparison, open redirect vulnerabilities, and relative URL resolution edge cases.
URL Encoding Edge Cases That Break Real Applications
The difference between encoding a full URL and a URL component, why + and %20 aren't always interchangeable, how double-encoding silently corrupts data, and the characters that break most URL handling code.
URL Encoder/Decoder — Percent-Encode & Decode URLs Instantly
Learn why URL encoding exists, how percent-encoding works, the difference between %20 and + for spaces, and how to encode and decode URLs correctly for APIs and query strings.
