URL Encode / Decode

Encode and decode URL strings instantly

You might also need

Base64 Encode / Decode

Free online Base64 encoder and decoder. Convert text to Base64 and back …

HTML Entity Encode/Decode

Free online HTML entity encoder and decoder. Convert special characters to HTML …

Unicode Escape/Unescape

Free online Unicode escape and unescape tool. Convert text to \uXXXX escape …

JSON Formatter & Validator

Free online JSON formatter and validator. Beautify, minify and validate JSON …

What is URL Encoding?

URL encoding, also known as percent-encoding, is the standard mechanism for representing characters that aren’t safe to put directly inside a URL. It’s defined by RFC 3986 and used everywhere on the web — query strings, form submissions, REST APIs, OAuth flows, signed download links, redirect targets, and webhook payloads all depend on it.

The rule is simple: any character outside the unreserved set (A-Z, a-z, 0-9, -, _, ., ~) is replaced with a % sign followed by the two-digit hexadecimal value of the byte. A space becomes %20, an ampersand becomes %26, a forward slash becomes %2F. For non-ASCII characters, the string is first UTF-8 encoded, so each Unicode character may turn into two, three, or four percent-escaped bytes.

URL decoding is the reverse — reading %XX triplets and converting them back into the original bytes, then interpreting those bytes as UTF-8 to recover the original text.

When to Use the URL Encoder

You almost always want to URL-encode a value before putting it in a URL when:

  • Passing user input as a query parameter. Search terms, names with spaces, anything copy-pasted from elsewhere — encodeURIComponent it before concatenating into the URL.
  • Embedding a URL inside another URL. Redirect targets, callback URLs, OAuth state parameters. Without encoding, the inner URL’s ? and & will be parsed as part of the outer URL.
  • Building API request bodies with application/x-www-form-urlencoded. Every key and value must be percent-encoded; spaces become +.
  • Signing requests (AWS Signature V4, Google Cloud, OAuth 1.0). The signature input is the canonicalized, percent-encoded request — the tiniest mismatch in encoding produces a different signature.
  • Cleaning up a URL pasted from email or chat. Decoders make %E2%80%93 readable again as , so you can see what a long tracking URL actually says.

How to Use the URL Encode / Decode Tool

  1. Paste the URL or plain text into the input area.
  2. Choose Encode or Decode (the tool also auto-detects when input contains percent-escapes).
  3. Press Ctrl+Enter to run, or click the action button.
  4. Copy the result with one click — Ctrl+Shift+C works too.
  5. Clear with Ctrl+L and start again.

Everything happens locally in your browser. No data is uploaded, so it’s safe to paste signed download URLs, JWTs in query strings, or any other URL that might contain sensitive parameters.

Common URL Encoding Values

CharacterEncodedNotes
Space%20 (or + in form data)Use %20 in paths and fragments
!%21Reserved for sub-delims
"%22Always encode in URLs
#%23Marks the fragment — must encode if literal
$%24Reserved character
%%25Encode the % itself, or you’ll get double-encoded output
&%26Separates query parameters
+%2BMeans literal +; otherwise interpreted as space
/%2FPath separator — encode inside parameter values
=%3DSeparates key from value in queries
?%3FMarks start of query string
@%40Reserved for userinfo component
é%C3%A9Two UTF-8 bytes
%E5%8C%97Three UTF-8 bytes (CJK)
🚀%F0%9F%9A%80Four UTF-8 bytes (emoji surrogate pair)

URL Encoding vs HTML Entity Encoding vs Base64

These three look superficially similar — all turn unsafe characters into a longer escape sequence — but they solve different problems:

  • URL encoding (%20, %C3%A9) — safe characters in URLs and form bodies. Reversible. Output stays mostly human-readable.
  • HTML entity encoding (&, é) — safe characters inside HTML markup so the browser doesn’t interpret them as tags. Decode it with our HTML entity tool.
  • Base64 (SGVsbG8=) — encode arbitrary binary as ASCII. Roughly 33% size overhead, completely opaque to humans. Use the Base64 tool for tokens, file payloads, and credentials embedded in JSON.

If you’re stuffing a URL into a query parameter, you might double-wrap: Base64-encode the binary, then URL-encode the Base64 (because = and / need escaping). That’s how signed download URLs and OAuth callback states are typically built.

Common Errors and How to Fix Them

Double-Encoded URLs (%2520 instead of %20)

Symptom: query parameters that look like name=John%2520Doe. The % from %20 got re-encoded as %25. Cause: encoding the same value twice. Fix: decode once with this tool to recover name=John%20Doe, and ensure your code only calls encodeURIComponent once per value.

Plus Sign Treated as Space

Symptom: me+you@example.com arrives at the server as me you@example.com. Cause: in application/x-www-form-urlencoded, a literal + means space. Fix: encode + as %2B everywhere except form payloads where you actually want a space.

&, =, ? Inside Parameter Values

Symptom: a query parameter that contains = or & corrupts the rest of the query string. Cause: forgetting to encode the value before concatenating. Fix: pass each value through encodeURIComponent before building the URL — never use raw string concatenation with user input.

Unicode Looks Like Mojibake After Decoding

Symptom: decoded URL shows café instead of café. Cause: the bytes were UTF-8 but decoded as Latin-1. Fix: this tool always decodes as UTF-8, which is the correct behavior per RFC 3986. If you’re getting mojibake elsewhere, the encoder used the wrong character set — re-encode with UTF-8.

Whitelist Confusion (encodeURI vs encodeURIComponent)

Symptom: a URL like https://example.com/?q=foo becomes https%3A%2F%2Fexample.com%2F%3Fq%3Dfoo and breaks navigation. Cause: encodeURIComponent was called on a full URL. Fix: use encodeURIComponent only for individual values; use encodeURI (or no encoding at all) for a full URL you’ve already constructed correctly.

Why It Matters: Privacy and Performance

This URL encoder runs entirely in your browser — nothing leaves your machine. That matters because URLs often contain authentication tokens (access_token=...), session identifiers, signed S3 download links, or sensitive query parameters that audit logs would later expose. A server-side encoder, even on a “trusted” tool site, lands every payload in a request log.

The decode/encode operation is constant-time per character and runs faster than any network round-trip would, so there’s no UX reason to send the data off-machine either.

Frequently Asked Questions

What is URL encoding?

URL encoding (also called percent-encoding) converts characters that have a special meaning in URLs — or that aren't allowed at all — into a `%` sign followed by their two-digit hexadecimal byte value. For example, a space becomes `%20`, an ampersand becomes `%26`, and a forward slash becomes `%2F`. It's defined by RFC 3986 and is what makes it safe to embed arbitrary text inside query strings, paths, and form bodies.

How do I URL encode a string online?

Paste your text into the input box, click Encode (or press Ctrl+Enter), then copy the percent-encoded result. The tool runs entirely in your browser using the standard `encodeURIComponent` semantics, so it handles spaces, ampersands, slashes, plus signs, Unicode characters, and emoji correctly without sending anything to a server.

What's the difference between URL encoding and Base64 encoding?

URL encoding only escapes characters that aren't safe in a URL — letters, digits, and `- _ . ~` pass through untouched, so the output is still mostly readable. Base64 transforms every byte into one of 64 characters, producing output that's roughly 33% larger but completely opaque. Use URL encoding for query parameters and form fields; use Base64 when you need to embed binary data (images, signatures, tokens) in a text channel.

Why does %20 sometimes appear as a + in URLs?

Both `%20` and `+` represent a space, but in different contexts. The `+` form is only valid inside the query string of a URL (`application/x-www-form-urlencoded`). Inside the path, fragment, or any other URL component, `+` is a literal plus sign and only `%20` is correct. Modern code should prefer `%20` everywhere — it works in all components — and reserve `+` for legacy form-encoded payloads.

What's the difference between encodeURI and encodeURIComponent?

`encodeURI` is meant for a complete URI and deliberately leaves the URL structure intact: it doesn't encode `: / ? # & =` because those have special meaning. `encodeURIComponent` is meant for a single value you're about to embed in a URL — it encodes everything except letters, digits, and `- _ . ~`. Rule of thumb: use `encodeURIComponent` for query parameter names and values, and `encodeURI` only when you have a fully-formed URL you want to safely percent-escape any leftover characters in.

Does URL encoding work with Unicode and emoji?

Yes. The string is first UTF-8 encoded, then each byte is percent-escaped. So `café` becomes `caf%C3%A9` (two bytes for `é`), `北京` becomes `%E5%8C%97%E4%BA%AC`, and `🚀` becomes `%F0%9F%9A%80`. Decoders that follow RFC 3986 reverse the process and reproduce the original Unicode string. This tool handles Unicode and surrogate pairs out of the box.

How do I fix double-encoded URLs?

If you see `%2520` instead of `%20`, the URL has been encoded twice — the original `%` got re-encoded as `%25`. Run the string through this decoder once to get back to the single-encoded form, then use that. The fix in code is to make sure each value passes through `encodeURIComponent` exactly once, never on already-encoded data.

Is my data safe with this tool?

Yes. All encoding and decoding runs entirely in your browser using JavaScript. Nothing is uploaded, logged, or sent to any server — important when you're decoding tokens, signed query strings, or any URL that contains credentials or session identifiers.