URL Encoder/Decoder

Percent-encode and decode URI components and full URLs

How it works

URL Encoder/Decoder — Percent-encode and decode URI components and full URLs. All processing happens in your browser — no upload, no signup, no email required. Free forever.

Last updated: 2026-05-06

Editor's note

We keep seeing the same bug in production code reviews — encodeURI versus encodeURIComponent — and it almost always shows up at 2am, when a webhook query string with a "+" in an email address gets silently eaten and a customer's reset link points at the wrong inbox. The two functions look interchangeable until you read the spec, and most people only read the spec after the postmortem. So we surface both modes side by side: the answer to "did you escape that for the right scope" stops being a guess you make at the keyboard.

We also refuse to send your URL anywhere. Half the time you are debugging this tool, the string in the box is a signed callback or a one-time token that should not exist outside your laptop. Encoding is local JavaScript — no fetch, no telemetry, no clever "share link" feature that quietly mirrors your input. If we are going to host the textarea your production secrets get pasted into, the least we can do is make sure nothing leaves the page.

About URL Encoder/Decoder

URLs can only safely transport a small subset of ASCII characters. The moment you need to put a space, a slash, an emoji, a Turkish "ş", or a query value containing "&" into a link, you have to percent-encode it. This URL encoder/decoder applies the exact same algorithms the browser uses internally — encodeURI for whole URLs and encodeURIComponent for individual query string values — so the output is byte-for-byte identical to what your code would produce.

Use it when you are crafting an OAuth redirect, debugging a webhook URL that arrived double-encoded, building a tracking link with UTM parameters that contain spaces, or pasting a non-ASCII path into Slack and getting a wall of "%C3%BC" garbage back. Switching modes lets you see how reserved characters like "/", "?" and "&" are treated differently between full-URL and component contexts — which is exactly where most encoding bugs hide.

Everything happens in your browser. Nothing about the URL — including any tokens, session ids, or PII in the query string — is sent to a server, logged, or cached. That matters when you are debugging a production link that contains a one-time signed parameter you do not want to leak.

How to use URL Encoder/Decoder

Paste your URL or raw text into the input box.
Pick a mode: encodeURIComponent for query parameter values, or encodeURI (full URL) for entire links.
Click Encode to convert raw characters into percent-escapes, or Decode to reverse a previously encoded string.
Copy the result with one click and drop it into your code, browser, or Postman request.
If decoding shows "Invalid encoded sequence", inspect the input for stray "%" signs not followed by two hex digits.

Common use cases

Building OAuth/SAML redirect URLs where the state and code parameters must survive intact.
Encoding non-ASCII filenames before putting them in Content-Disposition headers or S3 keys.
Cleaning up double-encoded URLs ("%2520" instead of "%20") that came out of a misconfigured proxy.
Producing safe query string values for tracking links containing spaces, ampersands or quotes.
Debugging webhook payloads where one service URL-encoded a value and another decoded it twice.

Tips & common mistakes

Use encodeURIComponent for any single value you put after "=" in a query string. Reserve encodeURI for the whole URL only — it leaves "&", "=", "?" and "/" alone on purpose.
Spaces inside query strings should become "%20", not "+". The "+" form only applies to application/x-www-form-urlencoded bodies, not to URL paths.
If a string round-trips through encode → decode and comes back with extra escapes, your input was already encoded once — decode it first, then re-encode.
Hash fragments ("#section") are kept by encodeURI but treated as literal text by encodeURIComponent — pick the mode that matches your context.

Frequently asked questions

What's the difference between encodeURI and encodeURIComponent?

encodeURI keeps URL structural characters like /, ?, & intact — for whole URLs. encodeURIComponent percent-encodes those too — for query parameter values, etc.

Why am I getting 'Invalid encoded sequence' on decode?

The input contains a malformed % escape (e.g. '%G1'). Check that all % signs are followed by two valid hex digits, and use 'Encode' on raw text first.

Is my data sent anywhere?

No. Encoding/decoding runs locally in your browser — nothing is uploaded or logged.

Does this tool handle non-ASCII characters like Turkish or emoji?

Yes. Input is interpreted as UTF-8 before percent-encoding, so "ç" becomes "%C3%A7" and a single emoji becomes a four-byte sequence — exactly matching RFC 3986 and what fetch() in the browser produces.

Can I encode an entire URL with query string in one shot?

Use "encodeURI (full URL)" mode and the structural characters /, ?, #, &, = stay intact while everything else is escaped. If you need to encode an individual parameter value (e.g. a redirect URL nested inside another URL), switch to encodeURIComponent for that piece only.

Why does "+" become "%2B" sometimes but stay as "+" other times?

In a URL path or query value handled by encodeURIComponent, "+" is reserved and becomes "%2B". In encodeURI mode it is treated as safe and left alone. The most common bug is mixing the two and getting an email like "name+tag@example.com" parsed as a space.