URL Encoder & Decoder
Encode or decode URLs and query parameters. Handles Unicode, special characters, and percent-encoding. 100% client-side.
No data sent to serverRelated Tools
What is URL Encoding?
URL encoding (also called percent-encoding) is defined in RFC 3986, the URI specification. It converts characters that are not valid in URLs — or that have special meaning in URLs — into a percent sign (%) followed by two hexadecimal digits representing the byte value. For example, a space becomes %20, an ampersand becomes %26, and the Korean character "한" (UTF-8 bytes 0xED 0x95 0x9C) becomes %ED%95%9C.
Reserved vs unreserved characters
RFC 3986 splits ASCII into two groups. Unreserved characters (A-Z, a-z, 0-9, and -_.~) can appear in URLs as-is and must NOT be encoded. Reserved characters (:/?#[]@!$&'()*+,;=) have meaning in URL syntax (delimiting scheme, host, query, etc.) and must be encoded if they're meant as data rather than syntax. Everything else (control characters, non-ASCII bytes) must be encoded.
encodeURI vs encodeURIComponent
JavaScript provides two encoders. encodeURI() encodes only characters illegal anywhere in a URL — it leaves reserved characters like :/?# alone, so it's used for whole URLs. encodeURIComponent() additionally encodes reserved characters — use it for query parameter values and path segments. This tool's "Standard" button uses encodeURIComponent; "Encode All" goes further and encodes !'()*~ as well (matching RFC 3986 strict mode).
How to Use
- Click Encode or Decode at the top to choose direction.
- Paste your text or URL-encoded string in the Input textarea. Unicode characters are supported — they're UTF-8 encoded then percent-escaped.
- Click Encode (Standard) for typical use (matches
encodeURIComponent), or Encode All Characters for the strictest form (also encodes!'()*~). - Press
Ctrl+Enter(Cmd+Enteron macOS) as a shortcut to run the active mode. - Click Copy to copy output, or Clear to reset both fields.
Examples
1. Query parameter values
Original: q=hello world&lang=한국어 Encoded: q=hello%20world&lang=%ED%95%9C%EA%B5%AD%EC%96%B4 URL: https://example.com/search?q=hello%20world&lang=%ED%95%9C%EA%B5%AD%EC%96%B4
2. OAuth redirect URIs
When OAuth providers redirect back to your app with a callback URL containing query params, the entire callback URL is itself a query param — and must be doubly encoded:
https://provider.com/oauth? redirect_uri=https%3A%2F%2Fmyapp.com%2Fcallback%3Fstate%3Dabc123
3. mailto: links
<a href="mailto:foo@example.com?subject=Hello%20World&body=Thanks%21"> Email me </a>
4. tel: and SMS deep links
tel:+1%20555%20123%204567 sms:+15551234567?body=See%20you%20at%208pm
5. Filenames and CDN paths
Filenames with spaces, parentheses, or non-ASCII characters must be encoded in CDN URLs. Cloudflare, Fastly, and S3 all require this for files like "My Document (final).pdf".
https://cdn.example.com/My%20Document%20%28final%29.pdf
Common Pitfalls
1. Double encoding
Encoding an already-encoded string. %20 becomes %2520 (the % itself gets percent- encoded). Always decode first if you're unsure of the input state — or simply pass through and re-encode only when needed.
2. + vs %20 for spaces
application/x-www-form-urlencoded (HTML form submissions) uses + for spaces. RFC 3986 URI percent-encoding uses %20. Servers sometimes accept both, but generating + in a URL path will break. encodeURIComponent always produces %20; manual + handling is form-encoding territory.
3. Encoding the wrong slash
Path-segment slashes (/) shouldn't be encoded unless they're literal data inside a segment. Encoding all slashes turns /users/123 into %2Fusers%2F123, which most routers won't match. Use encodeURIComponent only on individual path segment values, not on whole paths.
4. Non-ASCII without UTF-8
URLs encode bytes, not characters. Korean "한" must first be converted to UTF-8 bytes (3 bytes), then each byte percent- encoded. Tools that skip the UTF-8 step produce mojibake on the receiving end. Modern browsers handle this automatically; older PHP/Java code sometimes did not.
5. Decoding maliciously crafted input
URL decoding can hide attacks. %2e%2e%2f decodes to ../ (path traversal). Web frameworks normalize paths after decoding to prevent this; always validate decoded values before using them in filesystem or DB operations.
FAQ
What is the difference between Standard and Encode All?
Standard uses encodeURIComponent — encodes everything except unreserved characters. Encode All additionally encodes !, ', (, ), *, ~ for strict RFC 3986 compliance. Use Standard for typical web use; Encode All when targeting APIs that reject any reserved character.
Why does %20 sometimes appear as +?
In URL-encoded form data (application/x-www-form-urlencoded), spaces are encoded as +. In RFC 3986 URI percent-encoding, they're %20. This tool always produces %20 (URI standard).
Does this tool handle Unicode?
Yes. Inputs are UTF-8 encoded before percent-encoding, so any Unicode character (Korean, emoji, Arabic, etc.) round-trips correctly.
Should I encode the entire URL or just part of it?
Just the part that's data — typically query parameter values and individual path segments. Encoding the entire URL (including :/?) breaks routing. encodeURI() is meant for the whole URL, encodeURIComponent() for one piece at a time.
Is the input limited?
Up to 5 MB per field. All processing is local — your strings never leave your browser.
⚠️ Reference Only
Output is generated based on your input and is provided for reference. Results may vary depending on your specific use case, edge cases, or environment-specific behavior. We do not guarantee accuracy of conversions, validations, or computed values.
Always verify critical outputs against official documentation or production environments. We are not responsible for any decisions or losses based on these tool results.
📖 Related Guides
JWT Anatomy — Header, Payload, Signature
Understand JWT structure, claims, and signing algorithms. Security best practices.
URL Encoding — When to Use What
encodeURI vs encodeURIComponent vs escape. Query strings, paths, and reserved characters.
Hash Algorithms — MD5, SHA-1, SHA-256, bcrypt
When to use each hash function. Security comparison and password storage best practices.