What is URL encoding (percent-encoding)?

URL encoding converts characters that are not allowed in a URL into a '%' followed by two hex digits representing the character's UTF-8 byte values. For example, a space becomes %20, a plus sign becomes %2B, and a slash becomes %2F. This ensures URLs remain valid when they contain special characters.

What is the difference between encodeURI and encodeURIComponent?

encodeURI is designed for complete URLs — it does NOT encode characters that have special meaning in URLs such as :, /, ?, #, &, =, and @. encodeURIComponent is designed for individual URL components (like query string values) — it DOES encode all those characters. Use encodeURIComponent for query parameter keys and values.

Why does '+' sometimes appear instead of '%20' for spaces?

The application/x-www-form-urlencoded format (used by HTML forms) encodes spaces as '+'. The RFC 3986 standard percent-encoding uses '%20'. Both are valid in different contexts — '%20' is more universal and works in both URLs and form data.

Is this tool safe for encoding sensitive data?

URL encoding is not encryption — it is a reversible formatting transformation. Do not use it to protect sensitive information. Anyone who sees the encoded string can decode it trivially. Use HTTPS and proper encryption for sensitive data.

Can I decode a partially encoded URL?

Yes. Switch to Decode mode and paste the URL. The tool will decode all percent-encoded sequences it finds, leaving any already-decoded characters unchanged.

URL Encoder/Decoder

Encode and decode URLs using percent-encoding. Choose between component encoding for query values, full URI encoding for complete URLs, or legacy escape encoding. All processing happens locally in your browser.

Mode

Encoding type — encodeURIComponent — for query values

Input

0 chars

Output

0 chars

Why use our online URL Encoder/Decoder?

Percent-encode or decode URLs and query string parameters instantly in your browser. Handles spaces, special characters, and international characters — essential for building safe API requests.

How to use URL Encoder/Decoder

1
Paste your URL or text
Type or paste the URL or text string you want to encode into the input field. The output updates in real time.
2
Choose encode or decode
Toggle between Encode (plain text → percent-encoded) and Decode (percent-encoded → readable text) using the mode selector.
3
Select the encoding type
Component encoding (encodeURIComponent) encodes all special characters including /, ?, and &. Full URI encoding (encodeURI) preserves URL-structural characters. Choose Component for query parameter values and Full URI for complete URLs.
4
Use the swap button
Click the swap arrow to move the output back to the input field and flip the mode — useful for round-trip encode/decode testing.
5
Copy the result
Click the Copy button to copy the encoded or decoded string to your clipboard.

URL structure — the anatomy of a web address

A URL (Uniform Resource Locator) has a defined structure: scheme://authority/path?query#fragment. Understanding each component clarifies when and how encoding applies.

Scheme (https, http, ftp): followed by ://. Never percent-encoded.

Authority: host name (domain.com) plus optional port (:8080). Domain labels follow DNS rules — only letters, digits, and hyphens; no encoding needed for standard domains. Internationalized Domain Names (IDN) use Punycode encoding (xn-- prefix) rather than percent-encoding.

Path (/products/my item): path segments are separated by /. Characters within a segment that are not "unreserved" (letters, digits, -, _, ., ~) must be percent-encoded. Spaces become %20 (not +, which is only for query strings in application/x-www-form-urlencoded).

Query string (?key=value&key2=value2): uses key=value pairs separated by &. The = and & are structural and must not be encoded as part of the URL structure. But the key and value contents must have their special characters encoded — which is why encodeURIComponent is the right function for query values (it encodes &, =, ?, and /).

Fragment (#section): the part after # is the fragment identifier. It is processed by the browser, not the server. It is never sent in HTTP requests.

When URL encoding goes wrong — common debugging scenarios

URL encoding bugs are common in web development and often subtle. Several patterns appear repeatedly.

Double-encoding: a value that was already encoded is encoded again. %20 (space) becomes %2520 (% is encoded to %25, producing %2520). The browser then decodes once, arriving at %20 instead of a space. Double-encoding happens when a library or framework encodes a string that was already manually encoded. Use a single encoding step at the final output point.

Wrong encoding function: using encodeURI instead of encodeURIComponent for query parameter values. encodeURI doesn't encode &, = or ?, so a URL parameter value containing these characters breaks the query string structure. Always use encodeURIComponent for individual parameter keys and values.

Plus vs %20: HTML forms using application/x-www-form-urlencoded encode spaces as +. Some server frameworks (PHP $_GET, some Python Flask versions, Java Servlet API) decode + back to space. Pure RFC 3986 percent-encoding uses %20. Mixing the two in the same API causes + to be treated as a literal + by RFC 3986-compliant parsers. Standardize on %20 in APIs; use + only in form submissions.

Non-UTF-8 encoding: legacy systems sometimes encode non-ASCII characters in Windows-1252 or Latin-1 encoding rather than UTF-8. %E9 in Latin-1 is é; in UTF-8, é is encoded as %C3%A9. Always specify and use UTF-8.

Building safe URLs — best practices for developers

Building URLs programmatically requires careful encoding to prevent broken links and security vulnerabilities.

Always use the URL API for URL construction in JavaScript: const url = new URL('/search', 'https://example.com'); url.searchParams.set('q', userQuery); url.searchParams.set('page', '2'); // Outputs: https://example.com/search?q=[encoded]&page=2. The URL and URLSearchParams APIs handle encoding automatically and correctly.

Never build query strings through string concatenation: '/search?q=' + userInput + '&page=2'. If userInput contains &, =, or ?, the query string structure breaks. If it contains a #, the remainder becomes a fragment. Use URLSearchParams.set() or your language's equivalent URL-building utility.

For path segments containing user data (like usernames, slugs, or IDs in URLs like /users/username), use encodeURIComponent to encode the segment value before inserting it: '/users/' + encodeURIComponent(username). If the username contains a slash, this prevents it from being interpreted as a path separator.

Open redirect prevention: when redirecting to a URL provided by a user or query parameter, validate that the destination is within your own domain before redirecting. An unvalidated redirect to a URL-encoded external site (https://yoursite.com/redirect?to=https%3A%2F%2Fevil.com) is a common phishing vector.

Frequently Asked Questions

What is URL encoding (percent-encoding)?: URL encoding converts characters that are not allowed in a URL into a '%' followed by two hex digits representing the character's UTF-8 byte values. For example, a space becomes %20, a plus sign becomes %2B, and a slash becomes %2F. This ensures URLs remain valid when they contain special characters.
What is the difference between encodeURI and encodeURIComponent?: encodeURI is designed for complete URLs — it does NOT encode characters that have special meaning in URLs such as :, /, ?, #, &, =, and @. encodeURIComponent is designed for individual URL components (like query string values) — it DOES encode all those characters. Use encodeURIComponent for query parameter keys and values.
Why does '+' sometimes appear instead of '%20' for spaces?: The application/x-www-form-urlencoded format (used by HTML forms) encodes spaces as '+'. The RFC 3986 standard percent-encoding uses '%20'. Both are valid in different contexts — '%20' is more universal and works in both URLs and form data.
Is this tool safe for encoding sensitive data?: URL encoding is not encryption — it is a reversible formatting transformation. Do not use it to protect sensitive information. Anyone who sees the encoded string can decode it trivially. Use HTTPS and proper encryption for sensitive data.
Can I decode a partially encoded URL?: Yes. Switch to Decode mode and paste the URL. The tool will decode all percent-encoded sequences it finds, leaving any already-decoded characters unchanged.