Skip to content
Processing locally — files never leave your device

URL Encoder / Decoder

Percent-encode text so spaces, ampersands, slashes, and non-Latin characters survive inside a URL or query string — then decode an encoded URL back to readable text. Handy for debugging API requests, building query parameters by hand, and fixing links where special characters were mangled. Everything runs locally in your browser.

How to use URL Encoder

  1. Choose Encode to escape characters, or Decode to reverse them.
  2. Pick "Component" for query-string values, or "Full URL" for entire URLs.
  3. Paste your input — the result updates instantly.
  4. Copy the output with one click.

URL encoding: keeping special characters from breaking your links

URLs may only contain a limited set of characters. Anything else — spaces, accents, slashes inside a query value, ampersands inside a search term — must be percent-encoded before the URL is sent. Skip the step and the request will either be rejected or, worse, silently parsed wrong: an unescaped &in a search term splits your query into two parameters and nobody gets an error message. The escaping below is done by the browser's own encoder, so the link you are fixing never travels anywhere to get fixed.

How percent-encoding actually works

Encoding replaces each unsafe character with % followed by the hexadecimal value of its bytes. A space is byte 0x20, so it becomes %20; an ampersand is 0x26, so it becomes %26. Characters outside ASCII are first converted to UTF-8 and each byte is escaped separately: é is the two-byte sequence 0xC3 0xA9, which encodes as %C3%A9. Put together, a real search URL transforms like this:

Before: https://example.com/search?q=café & crème
After: https://example.com/search?q=caf%C3%A9%20%26%20cr%C3%A8me

Notice that the structural characters — ://, ?, = — stay untouched, while everything inside the query value is escaped. Decoding reverses the process byte for byte, which is why a correct encode/decode round-trip never loses data.

Component vs. full URL

Use Component when encoding a single piece of a URL — a search term, a path segment, a query value. It escapes everything that could break URL structure, including / and &. Use Full URLwhen encoding a complete URL that you don't want to break — it preserves :/?#&=+ so the URL stays functional. Picking the wrong mode is the most common encoding bug: component-encoding a whole URL turns it into one giant unusable string, while full-URL-encoding a query value leaves dangerous characters unescaped.

Where you'll need this

  • Building query strings from user input — search terms, filters, form values
  • Passing a redirect or callback URL as a parameter inside another URL (OAuth, login flows)
  • Debugging webhooks and API calls by decoding what was actually sent
  • Creating mailto: or share links with prefilled subjects and bodies
  • Encoding file names with spaces or unicode for download links

Common mistakes

Double-encoding tops the list: encode a value twice and %20 becomes %2520, which decodes back to the literal text %20 instead of a space. Encode exactly once, at the moment the value is inserted into the URL. The plus sign is the other classic trap — HTML forms encode spaces as +, but strict percent-encoding does not, so a + in a query string may mean a space or a real plus depending on who produced it. When in doubt, send %20 for spaces and %2B for a literal plus.

When URL encoding is the wrong tool

Percent-encoding makes text safe for URLs — nothing else. It is not protection against XSS when inserting text into HTML (use HTML entity escaping), it does not hide or secure data (the encoding is trivially reversible), and it is not how you embed binary data in a URL (Base64-URL is far more compact). Reach for the encoder that matches the context the text is going into.

Related tools

  • HTML Encoder — escape <, > and & for safe insertion into HTML, the counterpart to URL escaping.
  • Base64 Encode / Decode — pack binary or structured data into a compact text form, including the URL-safe variant.
  • JWT Decoder— decode the URL-safe tokens you'll often find in query strings and auth headers.
  • Regex Tester — build and test the patterns you use to pick apart query strings.

Frequently asked questions

What is the difference between encodeURI and encodeURIComponent?
encodeURI preserves characters used to structure a URL (like / and ?), so it's right for entire URLs. encodeURIComponent escapes all reserved characters, which is what you want for individual query-string values where the value itself might contain & or =.
When should I use this tool?
Whenever you need to put user input into a URL — search queries, redirect targets, OAuth state, file paths in URLs, anything that might contain spaces, slashes, or special characters.
Does this handle Unicode?
Yes. The browser's built-in encoders handle UTF-8 correctly, so emoji and non-Latin scripts encode and decode without loss.
Why does my plus sign decode to a space?
Forms encode spaces as "+" rather than "%20". This tool follows the strict URL-encoding rules: "+" decodes literally as a plus. If you need form-style decoding, replace "+" with " " in the input before decoding.
Is it safe to decode a URL that contains an auth token or redirect secret?
Yes — the encode and decode both call the browser’s native encodeURIComponent and decodeURIComponent, so a callback URL with an embedded token or OAuth state is processed in the tab rather than sent off to be unscrambled elsewhere.
What does %20 actually mean?
It's the percent sign followed by the byte value in hexadecimal: 0x20 is 32 in decimal, the ASCII code for a space. Every percent-escape follows the same pattern — %2F is a slash (0x2F = 47), %3D is an equals sign — and multi-byte UTF-8 characters become a sequence of escapes.
Why does my URL contain %25 or %2520?
That's double-encoding. The percent sign itself encodes to %25, so if an already-encoded string is encoded again, %20 becomes %2520. It usually means two layers of your stack each encoded the value — encode exactly once, at the point where the value is inserted into the URL.
Which characters never need encoding?
RFC 3986 defines the unreserved set: letters A–Z and a–z, digits 0–9, and the four marks "-", "_", ".", and "~". These are always safe anywhere in a URL. Everything else is either a reserved delimiter (like /, ?, #, &, =) or must be percent-encoded.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About