URL Encode / Decode
Encode text for safe URL use, or decode percent-encoded URLs.
What is URL Encode / Decode?
A URL decoder is a tool that converts percent-encoded characters in a URL back to their original Unicode form, and the matching encoder rewrites unsafe characters as %HH triplets so they survive transport through browsers, proxies, and servers. The rules come from RFC 3986 , which reserves a small set of characters for URL syntax (:, /, ?, #, [, ], @) and a set of sub-delimiters (!, $, &, ', (, ), *, +, ,, ;, =).
Anything outside the unreserved alphabet (letters, digits, -, _, ., ~) gets percent-encoded as the hex value of its UTF-8 byte. The decoder reverses each %HH triplet back to a byte and decodes the resulting sequence as UTF-8 text.
Why use a URL encoder?
- Stop query strings from breaking when users paste them. Spaces,
&, and#in a search term silently truncate the URL or split parameters. Encoding them keeps the value intact end to end. - Build safe redirect URLs. When a
redirectparameter contains another URL, the inner URL must be percent-encoded so its?and&do not collide with the outer query string. - Decode logs and error reports. Server access logs store raw URLs. Running them through the decoder turns
%E2%9C%85back into the readable check mark and reveals what the user actually requested. - Debug OAuth and SSO flows. Authorization endpoints chain three or four encoded URLs together. The decoder unwinds them so you can verify the final
redirect_urimatches the registered callback. - Handle non-ASCII paths. Paths containing Cyrillic, Arabic, or CJK characters must be UTF-8 encoded before percent-encoding. The encoder handles this in one pass.
How to use the URL Encode / Decode tool
- Pick Encode to convert plain text into percent-encoded form, or Decode to reverse the process.
- Paste the URL or string into the Plain text or URL-encoded field on the left.
- Read the output on the right; it updates as you type and shows an error message if the percent-encoding is malformed.
- Copy the result with the output panel’s copy control.
- Switch modes and paste the output back to confirm the round trip is lossless.
How URL encoding works
URL encoding (also called percent-encoding) walks the input character by character. If the character is in the unreserved set (A-Z, a-z, 0-9, -, _, ., ~), the encoder emits it unchanged. Anything else is converted to its UTF-8 byte sequence, and each byte is written as % followed by two uppercase hex digits.
A space, for example, is byte 0x20, so it becomes %20. The + shorthand for space is a holdover from the older application/x-www-form-urlencoded form-encoding rules and is only valid inside query strings, not in paths. This tool follows the RFC 3986 component rules and uses %20 for spaces everywhere.
The decoder is strict: a stray % not followed by two hex digits raises an error, which surfaces real bugs in URL construction rather than masking them.
URL encoding reference
| Character | Encoded | Why |
|---|---|---|
| space | %20 | Reserved for URL parsing |
! | %21 | Sub-delimiter |
" | %22 | Not in unreserved set |
# | %23 | Fragment delimiter |
$ | %24 | Sub-delimiter |
& | %26 | Query separator |
+ | %2B | Decoded as space in form data |
, | %2C | Sub-delimiter |
/ | %2F | Path separator |
: | %3A | Scheme delimiter |
; | %3B | Sub-delimiter |
= | %3D | Query separator |
? | %3F | Query delimiter |
@ | %40 | Userinfo delimiter |
[ | %5B | IPv6 host delimiter |
| | %7C | Not in unreserved set |
Examples
Encoding a search query with spaces and an ampersand:
Plain text Encoded
hello world hello%20world
name=Tom & Jerry name%3DTom%20%26%20Jerry
https://example.com/?q=cats https%3A%2F%2Fexample.com%2F%3Fq%3Dcats
café caf%C3%A9A redirect parameter that itself contains a URL:
/auth?next=/dashboard?team=acme&tab=billing WRONG, breaks parsing
/auth?next=%2Fdashboard%3Fteam%3Dacme%26tab%3Dbilling correct, single paramCommon use cases
- API integration debugging. Backend developers paste failing request URLs into the decoder to see exactly what reached the server.
- OAuth callback troubleshooting. Identity provider URLs nest a
redirect_uriinside the authorization URL; the decoder peels back the layers so you can verify the registered callback matches. - Web analytics cleanup. Analysts decode
utm_*parameters and search queries from referrer logs to read what visitors typed. - Crafting deep links. Mobile developers encode app schemes and routes into HTTPS universal links so the OS routes them correctly.
- Sharing pre-filled forms. When you encode form values into a URL, the recipient opens the page with the fields already populated.
URL encode vs alternatives
| Tool | Best for | Offline | Cost | Limitations |
|---|---|---|---|---|
| This URL encoder | Quick encode/decode and inspection | Yes | Free | One string at a time |
encodeURIComponent in DevTools | Inside an existing script | Yes | Free | Does not encode !, ', (, ), * |
python -c "import urllib.parse" | Bulk encoding in scripts | Yes | Free | Requires command line setup |
| Browser address bar | Casual decoding by pasting | Yes | Free | Browser auto-decodes some characters silently |
Frequently asked questions
Why use URL encoding?
URL encoding keeps the syntax of a URL unambiguous. Without it, a query value containing & would be parsed as a parameter separator, and a # would be read as a fragment marker. Percent-encoding hides those characters from the parser so the receiver sees the value you intended.
What characters are safe in URLs?
Only the unreserved set is safe to use raw: letters A-Z and a-z, digits 0-9, and the four marks -, _, ., ~. Reserved characters and sub-delimiters need encoding when they appear inside a URL component rather than as a delimiter.
What is the difference between URL encoding and HTML encoding?
URL encoding rewrites characters as %HH byte triplets for transport in URLs. HTML encoding rewrites characters as named entities like & or numeric references like & for safe rendering inside HTML markup. Use the HTML Escape tool for the second case.
Should spaces become %20 or +?
In a URL path or generic query value, use %20. The + shorthand only applies to application/x-www-form-urlencoded form bodies. Mixing them confuses servers that follow RFC 3986 strictly.
Why does my decoded text look like caf%C3%A9?
Because the source was double-encoded. The first decode pass turns %25 back into %, leaving the second layer. Run the decoder a second time and the UTF-8 sequence resolves to café.
Is URL encoding case sensitive?
The percent-encoded hex digits accept both cases, but RFC 3986 recommends uppercase (%2F, not %2f). The decoder accepts either.
Can I encode an entire URL at once?
You can, but it will encode the ://, ?, and / characters too, which breaks the URL. Encode each component (path segment, query value, fragment) separately and assemble them with literal delimiters.
Does the tool handle international domain names?
Domain names follow a separate encoding called Punycode, not percent-encoding. Use the IDN / Punycode Converter for hostnames written in non-ASCII scripts.
Related tools
- Base64 Encoder / Decoder: Convert binary data to ASCII for transport in JSON, headers, and data URLs.
- JWT Decoder: Split a JWT into its header, payload, and signature without a secret.
- HTML Escape / Unescape: Convert
<,>,&, and quotes to HTML entities and back. - URL Parser: Break a URL into its scheme, host, path, query, and fragment.
Related tools
ShotMark captures what you do here, in one click.
The traces, payloads, and tests you run by hand? ShotMark grabs the whole bug and hands it to your AI agent.