Free Online URL Encoder & Decoder
Encode or decode URL strings instantly using standard percent-encoding. Handle special characters, query parameters, and international characters with ease β all processed locally in your browser.
What is URL Encoding?
URL encoding, formally known as percent-encoding, is the mechanism by which special characters in a Uniform Resource Locator (URL) are replaced with a percent sign (%) followed by two hexadecimal digits that represent the character's byte value in the ASCII character set. This encoding scheme is defined in RFC 3986 and is fundamental to how the World Wide Web functions.
URLs are restricted to a specific set of characters from the US-ASCII character set. Characters outside this set β including spaces, international characters (like accented letters, Chinese characters, or emojis), and characters that have special meaning in URL syntax (such as &, =, ?, and #) β must be percent-encoded to be safely transmitted and interpreted by web servers, browsers, and APIs.
For example, the space character (ASCII 32) is encoded as %20. The ampersand (&), which normally separates query parameters, is encoded as %26 when it needs to appear as literal data within a parameter value. Without proper encoding, URLs can break, be misinterpreted, or even introduce security vulnerabilities such as injection attacks.
This free URL encoder online tool lets you encode and decode URL strings instantly using JavaScript's built-in encodeURIComponent() and encodeURI() functions, all processed entirely in your browser.
How to Encode or Decode URLs Online
Our URL encoder and decoder is designed for speed and simplicity. Here's how to use it:
- Enter your text: Paste or type the URL string, query parameter, or text you want to encode or decode into the input field.
- Choose the mode: Select encodeURIComponent to encode individual values (recommended for query parameters), or encodeURI to encode a full URL while preserving its structure.
- Click Encode or Decode: Press the appropriate button to process your input. The result appears instantly in the output field.
- Copy the result: Click the copy button to copy the encoded or decoded string to your clipboard for use in your code, API calls, or browser address bar.
URL Encoding Character Reference
Here's a quick reference table showing how common characters are represented in URL encoding:
| Character | Encoded Form | Description |
|---|---|---|
| (space) | %20 | Space character β most common encoding |
| & | %26 | Ampersand β query parameter separator |
| = | %3D | Equals β key-value delimiter in queries |
| ? | %3F | Question mark β starts query string |
| # | %23 | Hash β fragment identifier |
| / | %2F | Forward slash β path separator |
| + | %2B | Plus sign β sometimes represents space |
| @ | %40 | At sign β used in email addresses |
| : | %3A | Colon β protocol separator (http:) |
| % | %25 | Percent β the encoding escape character itself |
encodeURI vs encodeURIComponent β Which Should You Use?
JavaScript provides two built-in functions for URL encoding, and choosing the right one is critical to avoid breaking your URLs:
encodeURI()
encodeURI() is designed to encode a complete URI. It encodes special characters but preserves characters that have structural meaning in a URL, including :, /, ?, #, &, =, @, and +. Use this when you have a full URL and want to make it safe without destroying its structure.
Example: encodeURI("https://example.com/path?q=hello world") returns https://example.com/path?q=hello%20world β the space is encoded, but the colons, slashes, and question mark remain intact.
encodeURIComponent()
encodeURIComponent() is designed to encode a single component of a URI, such as a query parameter value or a path segment. It encodes all special characters, including /, ?, #, &, and =. This is the function you should use most of the time when building query strings programmatically.
Example: encodeURIComponent("price=10¤cy=USD") returns price%3D10%26currency%3DUSD β everything is encoded because the entire string is treated as a single value, not a structured URL.
Rule of thumb: Use encodeURIComponent() for encoding query parameter values and individual path segments. Use encodeURI() only when encoding a full, already-structured URL.
Why URL Encoding Matters
Proper URL encoding is not just a best practice β it's essential for building reliable, secure web applications. Here are the key reasons:
API Integration
When sending data to APIs via query parameters, failing to encode special characters can cause the API to misinterpret your request. For example, an unencoded & in a parameter value will be interpreted as a parameter separator, splitting your data into two incorrect parameters. Proper encoding ensures your data arrives intact.
SEO and Crawlability
Search engine crawlers need well-formed URLs to index your pages correctly. URLs with unencoded special characters, spaces, or non-ASCII characters may be ignored, broken, or deduplicated incorrectly by search engines. Clean, properly encoded URLs contribute to better indexability and SEO performance.
Security
Improper URL encoding is a common vector for web security vulnerabilities. Cross-site scripting (XSS) attacks often exploit the lack of encoding to inject malicious scripts through URL parameters. Open redirect vulnerabilities can arise from unencoded URL parameters that redirect users to malicious sites. Always encode user-supplied input before including it in URLs.
Internationalization (i18n)
URLs containing non-ASCII characters β such as Chinese, Arabic, or accented Latin characters β must be properly encoded to be transmitted via HTTP. Modern browsers display the decoded, human-readable form in the address bar (called IDN or IRI display), but the underlying request uses the percent-encoded form. Proper encoding ensures your internationalized URLs work reliably across all browsers and servers.
Tips for Working with URL Encoding
- Always use
encodeURIComponent()for individual query parameter values. This is the most common use case and the safest default. - Never double-encode. If data is already encoded, encoding it again will produce incorrect results (e.g.,
%20becomes%2520). Always check whether your data is already encoded before processing. - Decode before processing. When reading URL parameters on the server side, always decode the values before using them in your application logic.
- Use
%20instead of+for spaces in path segments. The+notation for spaces is only valid in the query string portion of a URL and only in theapplication/x-www-form-urlencodedformat. - Test with edge cases. Try encoding strings with emojis, multi-byte characters, and special symbols to ensure your application handles them correctly.
- Use URL objects in JavaScript. The
URLandURLSearchParamsAPIs handle encoding automatically and are less error-prone than manual string concatenation.
URL Encoding Standards (RFC 3986)
The authoritative specification for URL encoding is RFC 3986 β "Uniform Resource Identifier (URI): Generic Syntax" β published by the Internet Engineering Task Force (IETF) in January 2005. This document superseded the earlier RFC 2396 and defines the rules that every web browser, HTTP library, and web server follows when parsing and constructing URLs. Understanding RFC 3986 is essential for any developer who builds, consumes, or debugs web APIs.
Reserved Characters
RFC 3986 defines a set of reserved characters that have special meaning within a URI's structure. These characters delimit the components of a URL β the scheme, authority, path, query, and fragment. If you need to include a reserved character as literal data (rather than as a delimiter), it must be percent-encoded.
The reserved character set is: : / ? # [ ] @ ! $ & ' ( ) * + , ; =
For example, the ? character separates the path from the query string. If a query parameter value itself contains a ?, it must be encoded as %3F to prevent the parser from misinterpreting it as a second query string delimiter.
Unreserved Characters
Unreserved characters are safe to include in any component of a URI without encoding. They will never be misinterpreted by a compliant parser. The unreserved set consists of:
- Uppercase letters:
AβZ - Lowercase letters:
aβz - Digits:
0β9 - Four special characters:
- . _ ~(hyphen, period, underscore, tilde)
Any character not in the unreserved or reserved sets β including spaces, non-ASCII characters (UTF-8 multi-byte sequences), and control characters β must be percent-encoded.
Percent-Encoding Rules
The encoding process is straightforward: each byte of the character's UTF-8 representation is expressed as a percent sign (%) followed by exactly two uppercase hexadecimal digits. For single-byte ASCII characters, this produces familiar forms like %20 for space (byte 0x20) and %26 for ampersand (byte 0x26). For multi-byte UTF-8 characters, each byte is encoded separately β for example, the Euro sign (β¬, U+20AC) is encoded as %E2%82%AC (three bytes in UTF-8). RFC 3986 mandates that hexadecimal digits should be uppercase (%2F, not %2f), although most decoders accept both forms.
Common URL Encoding Issues & Troubleshooting
Even experienced developers run into URL encoding pitfalls. Here are the most common issues and how to resolve them:
Double Encoding
Double encoding occurs when an already-encoded string is encoded again. For example, a space that was correctly encoded as %20 gets re-encoded to %2520 (because the % itself becomes %25). This is one of the most frequent bugs in web applications and typically happens when multiple layers of code β such as a client library, a framework middleware, and a server-side router β each apply their own encoding pass. The fix is simple: encode once, at the point of construction, and ensure that downstream code does not re-encode.
Space: + vs. %20
The + sign as a space replacement is a legacy of the application/x-www-form-urlencoded content type, originally defined for HTML form submissions. In this format, spaces in form data are replaced with +. However, outside of the query string in a form-encoded context, + is not interpreted as a space β it is a literal plus sign. The universally safe choice is %20, which is valid in all parts of a URL (path, query, fragment). JavaScript's encodeURIComponent() always produces %20, not +.
Encoding Query Parameters vs. Path Segments
A common mistake is using the same encoding function for both path segments and query parameter values. While encodeURIComponent() works for both, the context matters. Path segments are separated by /, which must not be encoded within the path. Query parameter values sit after the ? and are separated by &, both of which must be encoded if they appear as literal data within a value. When building URLs programmatically, use the URL and URLSearchParams APIs in JavaScript β they handle the context-specific encoding automatically.
Unicode in URLs (IRI / IDN)
Internationalized Resource Identifiers (IRIs), defined in RFC 3987, extend URIs to support Unicode characters directly. Modern browsers display IRIs in the address bar (e.g., https://example.com/ζ₯ζ¬θͺ), but the underlying HTTP request uses the percent-encoded form (https://example.com/%E6%97%A5%E6%9C%AC%E8%AA%9E). Similarly, Internationalized Domain Names (IDNs) use Punycode to represent non-ASCII domain names (e.g., mΓΌnchen.de becomes xn--mnchen-3ya.de). When working with international URLs, always encode the path and query using UTF-8 percent-encoding, and use Punycode for domain names to ensure compatibility across all browsers and servers.
URL Encoding in APIs & Web Development
Proper URL encoding is the glue that holds modern web architecture together. From REST APIs to OAuth flows, almost every web interaction depends on correctly encoded URLs. Here are the most critical scenarios:
REST API Query Parameters
When calling a REST API, query parameters are appended to the URL after a ? and separated by &. Each parameter key and value must be individually encoded using encodeURIComponent(). For example, searching for the phrase "price > 100 & currency = USD" requires encoding to q=price%20%3E%20100%20%26%20currency%20%3D%20USD. Failing to encode will cause the API to misinterpret the & as a parameter separator and the = as a key-value delimiter, resulting in garbled data. Our URL encoder tool is perfect for testing these encodings before embedding them in your code.
Form Data Submission
HTML forms submitted via GET or POST with the application/x-www-form-urlencoded content type automatically encode form field values. However, when constructing form data programmatically (e.g., using fetch() or XMLHttpRequest), you are responsible for encoding the values yourself. The URLSearchParams API in JavaScript handles this elegantly:
const params = new URLSearchParams();
params.append('name', 'John Doe & Sons');
params.append('city', 'New York');
fetch('/api/search?' + params.toString());Redirects & Callback URLs
Redirect URLs frequently appear in authentication flows, payment gateways, and single sign-on (SSO) systems. When passing a redirect URL as a query parameter (e.g., ?redirect_uri=https://myapp.com/callback?token=abc), the entire callback URL must be encoded so that its internal ?, =, and & characters are not parsed as part of the outer URL structure. Incorrectly encoded redirect URIs are one of the most common causes of OAuth authentication failures.
OAuth Callbacks & Webhook URLs
OAuth 2.0 requires that the redirect_uri parameter exactly matches the value registered with the authorisation server β including encoding. A mismatch of even a single encoded vs. unencoded character (e.g., %2F vs. /) will cause the authorisation server to reject the request with an "invalid redirect_uri" error. Similarly, webhook URLs registered with third-party services (Stripe, GitHub, Twilio) must be properly encoded, especially when they contain query parameters for routing or authentication tokens.
Debugging Tip: Use the Browser Console
When debugging URL encoding issues, the browser's developer console is your best friend. Use encodeURIComponent() and decodeURIComponent() directly in the console to test individual values. For full URLs, the URL constructor parses and normalises a URL string, giving you access to individual components (.pathname, .searchParams, .hash) with encoding handled automatically.
Frequently Asked Questions
What is URL encoding?
URL encoding, also called percent-encoding, is the process of replacing unsafe or reserved characters in a URL with a percent sign (%) followed by two hexadecimal digits representing the character's ASCII code. For example, a space becomes %20 and an ampersand (&) becomes %26. This ensures URLs are transmitted correctly across the internet.
What is the difference between encodeURI and encodeURIComponent?
encodeURI() encodes a full URI but preserves characters that have special meaning in URLs (like :, /, ?, #, &). encodeURIComponent() encodes everything including those reserved characters, making it ideal for encoding individual query parameter values or path segments. In most cases, you should use encodeURIComponent().
Why do I need to encode URLs?
URLs can only contain a limited set of ASCII characters. Special characters like spaces, ampersands, question marks, and non-ASCII characters (such as accented letters or emojis) must be percent-encoded to be valid in a URL. Without encoding, URLs may break, be misinterpreted by servers, or create security vulnerabilities like XSS attacks.
Is %20 the same as + for spaces?
Both represent a space, but in different contexts. %20 is the standard percent-encoding for a space and works everywhere in a URL β path, query string, and fragment. The + sign is only valid as a space replacement in the query string portion of a URL when using the application/x-www-form-urlencoded format. For maximum compatibility and correctness, use %20.
Is this URL encoder safe to use?
Yes, completely safe. All encoding and decoding is performed locally in your browser using JavaScript's built-in encodeURIComponent() and encodeURI() functions. No data is sent to any server, nothing is stored or logged, and no cookies are set. Your data stays entirely on your device.
Can I decode a URL that was encoded multiple times?
Yes. If a URL has been double-encoded (e.g., %2520 instead of %20), you can run the decoder multiple times to fully decode it. Each pass decodes one layer of encoding. Our tool processes one layer per click, giving you full control over the decoding process so you can inspect intermediate results.