What is the difference between encodeURIComponent and encodeURI?

encodeURIComponent encodes everything except letters, digits, and -_.!~*'(). It is designed for encoding a single query-string value and will encode characters like /, ?, =, and & that form URL structure. encodeURI encodes fewer characters — it preserves the structural characters :/?#[]@!$&'()*+,;= so an entire URL can be encoded without destroying its structure. Use component mode for values, full-URL mode for complete URLs.

%20 is the URL-encoded form of a space character (ASCII code 32, hex 20). In query strings you will also see + used as a space (the application/x-www-form-urlencoded convention), but %20 is the standard RFC 3986 form. This tool always produces %20 for spaces.

What causes a malformed percent sequence error?

A percent sign in a URL must be followed by exactly two valid hexadecimal digits (0–9, A–F). If the browser's decodeURIComponent function encounters a % followed by non-hex characters — for example %GG or a lone % at the end — it throws a URIError. This tool catches that error and shows you which sequence is invalid.

Does this tool send my data to a server?

No. All encoding and decoding runs entirely in your browser using the built-in JavaScript functions encodeURIComponent, encodeURI, and decodeURIComponent. Nothing is transmitted — your text stays private and the tool works offline after the page loads.

Home › Tools › Developer Tools › URL Encoder / Decoder

URL Encoder / Decoder — Percent-Encode & Decode URLs Free

Percent-encode URL components or decode %xx sequences back to plain text. Supports component encoding and full URL mode. Detects malformed sequences. Runs entirely in your browser.

Encode full URL

Encodes in real time on paste

Input 0 chars

Encoded output

Output will appear here as you type…

Also try: Base64 Encoder/Decoder Unix Timestamp Converter JSON Formatter

About URL Encoder / Decoder

URL encoding (also called percent encoding) converts characters that are not allowed in a URL into a safe form: each byte is replaced by a percent sign followed by two uppercase hex digits. A space becomes %20. A forward slash becomes %2F. An ampersand becomes %26. This encoding exists because URLs are restricted to a subset of ASCII — anything outside that set must be encoded before it can be transmitted in an HTTP request.

This tool handles both operations in the browser. Encode: paste any text and get the percent-encoded form. Decode: paste any percent-encoded string and get the plain-text form. Malformed sequences — %GG, %Z5, any pair where the two characters after % are not valid hex — are detected and flagged with their position in the input rather than silently failing or producing garbage output.

Component mode vs Full URL mode

Component mode (the default) encodes a single URL component — a query-string parameter value, a path segment, or a fragment. It treats /, ?, =, &, #, @, and : as characters that must be encoded, because in the context of a parameter value these characters would break the URL structure. Equivalent to JavaScript's encodeURIComponent(). Use this when you're encoding something that will be embedded inside an existing URL.

Full URL mode encodes a complete URL while preserving its structure. It leaves /, ?, =, &, #, @, and : unencoded because they carry structural meaning in a full URL. It encodes non-ASCII characters and spaces. Equivalent to JavaScript's encodeURI(). Use this when you have a complete URL that contains international characters or spaces and needs to be made safe without breaking the URL's path, query, or fragment structure.

Double-encoding — what it is and how to detect it

Double-encoding is a common bug: a string gets run through an encoder twice. The first pass turns % into %25, so a second pass turns %20 (encoded space) into %2520. You'll see %2520 in the URL where you expect %20. To detect double-encoding: paste the string into the Decode tab. If the result still contains percent sequences (%20, %2F, etc.), you've decoded one layer and there's another. A properly single-encoded URL decodes to plain text with no remaining percent sequences.

Application/x-www-form-urlencoded and the + convention

HTML forms submitted via POST use the application/x-www-form-urlencoded content type, which encodes spaces as + rather than %20. This is a different convention from RFC 3986 percent encoding. Modern REST APIs expect %20 for spaces in query strings; legacy form-processing backends may expect +. This tool outputs %20 for spaces, following RFC 3986. If you need +-encoded form data, use the browser's native form submission or a dedicated form-encoding library.

Common use cases

Encoding a search query parameter — A developer builds a product search URL and needs to encode the user's query before appending it as a ?q= parameter. The query "blue denim jacket (size M)" encodes to blue%20denim%20jacket%20%28size%20M%29 in Component mode. Copy and append to the URL — the parentheses and spaces won't break the query string structure.
Decoding a redirect URL from a server log — An analyst reads server access logs and finds a redirect target written as %2Ftools%2Fjson-formatter%3Fq%3Dhello. Pasting into the Decode tab produces /tools/json-formatter?q=hello — the actual destination path, readable in two seconds without writing a script.
Encoding an OAuth callback URL as a parameter — An OAuth implementation needs to embed a full callback URL as the redirect_uri query parameter. The callback is https://app.example.com/auth/callback?session=xyz. In Component mode, this encodes to https%3A%2F%2Fapp.example.com%2Fauth%2Fcallback%3Fsession%3Dxyz — the slashes and equals sign are encoded because redirect_uri is a parameter value, not a URL position.
Diagnosing a double-encoding bug — A frontend developer sees %2520 appearing in API request URLs instead of the expected %20. Paste %2520 into the Decode tab: the result is %20. That's the first layer. Paste %20: the result is a space. Two decode rounds confirm double-encoding — encodeURIComponent() is being called twice on the same value. The fix is to remove one encoding call from the request-building code.
Testing API input validation with malformed sequences — A QA engineer needs URL strings with invalid percent sequences to verify an API's input sanitization. Type %ZZ or %GG into the Decode tab — the tool flags these as malformed with their position, confirming what the test input looks like before sending it to the API endpoint.

Frequently asked questions

What is URL encoding?

URL encoding (percent encoding per RFC 3986) converts characters that are not allowed in a URL into a safe representation. Each byte is replaced by a percent sign followed by two uppercase hex digits representing the byte value. Space (byte 0x20) becomes %20. A slash (byte 0x2F) becomes %2F. Every character outside the "unreserved" set (letters, digits, and - _ . ~) must be encoded when used as data in a URL component.

What is the difference between Component mode and Full URL mode?

Component mode (equivalent to JavaScript's encodeURIComponent) encodes structural URL characters including /, ?, =, &, #, @, and : — because in a parameter value those characters would break URL parsing. Full URL mode (equivalent to encodeURI) leaves those structural characters unencoded so the URL's structure is preserved. Use Component mode for a single value you're embedding inside a URL; use Full URL mode for a complete URL that contains unsafe characters.

What does %20 mean? Is it the same as +?

%20 is the percent-encoded form of a space (byte 0x20 in ASCII/UTF-8). The + sign also represents a space, but only in the application/x-www-form-urlencoded content type — the format used by HTML form POST requests. REST APIs and URL query strings should use %20. Some legacy PHP and Python form-processing backends expect +. When in doubt, use %20 — it's unambiguous in all contexts.

What is double-encoding?

Double-encoding happens when a string is encoded twice. The first encoding turns % into %25. A second encoding then turns %20 into %2520 (because % became %25, and the 20 passed through unchanged). You'll see %2520 where you expected %20, or %252F where you expected %2F. Fix: find the code path where encodeURIComponent() or equivalent is called and remove the duplicate call.

Which characters never need encoding in a URL?

The "unreserved characters" per RFC 3986 are always safe in any URL position: uppercase letters A–Z, lowercase a–z, digits 0–9, and the four symbols hyphen (-), underscore (_), period (.), and tilde (~). These 66 characters may appear in any URL component without encoding. Everything else — spaces, brackets, non-ASCII characters, most punctuation — must be percent-encoded.

What is a malformed percent sequence?

A malformed percent sequence is a % character not followed by exactly two valid hexadecimal digits. %GG, %Z5, %2 (truncated), and %2X are all malformed. URL parsers handle these inconsistently — some pass the literal characters through, some throw an error, some silently drop the sequence. This tool flags malformed sequences with their position in the input so you know exactly where invalid sequences are before the string reaches a URL parser.

Is this tool free?

Yes. No account required, no rate limit. All encoding and decoding runs in your browser — nothing is sent to a server.

How to encode or decode a URL

To encode: click the Encode tab. Paste your text into the input field — a query parameter value, a full URL, or any string that needs to be URL-safe.
Choose a mode: Component mode encodes everything including structural URL characters (/, ?, =, &). Full URL mode preserves those characters and encodes only unsafe characters. Component mode is the correct choice for encoding a parameter value to embed in an existing URL.
The encoded output appears immediately in the result field. Click Copy to copy it.
To decode: click the Decode tab. Paste any percent-encoded string. The decoded plain text appears immediately. Malformed sequences (e.g., %GG where GG is not valid hex) are highlighted with their position in the input.
To check for double-encoding: paste the string in the Decode tab. If the decoded output still contains percent sequences (%20, %2F, etc.), decode again — each pass removes one layer of encoding.

Keep going

More developer tools

LiveDeveloper

Base64 Encoder / Decoder

Encode text, files, or binary data to Base64 and decode Base64 back to text or download as binary. Free, runs in your browser.

Open tool

LiveDeveloper

Unix Timestamp Converter

Convert epoch timestamps to human-readable dates or any date to epoch. Auto-detects seconds vs milliseconds. Live clock.

Open tool

LiveDeveloper

JSON Formatter & Validator

Format, validate, and beautify JSON instantly. Pretty-print or minify. Error messages show line and column. Free, browser-side.

Open tool

LiveDeveloper

UUID Generator

Generate random, time-based, or sortable UUIDs instantly. UUID v4, v1, v7, and Nil. Quantity up to 100. Cryptographically secure.

Open tool