Free tools that run locally in your browser with zero data storage.
Tyzo
Browse Tools

URL Encoder & Decoder

Encode special characters for safe URL transmission and decode percent-encoded strings. Essential for web development, API testing, and form data handling.

Try These Examples

Encode "Hello World!" Encode Query Parameter Decode "Hello%20World%21" Decode Full URL Special Characters

Understanding URL Encoding (Complete Guide)

URL encoding (percent encoding) converts special characters into a format that can be safely transmitted over the internet. URLs can only contain ASCII characters from a limited set. Any character outside this set must be encoded.

When you see `%20` in a URL, that's a space character encoded. `%2F` is a forward slash, `%3F` is a question mark, and `%26` is an ampersand. URL encoding replaces unsafe characters with a `%` followed by two hexadecimal digits representing the character's ASCII code.

Why URL Encoding Matters:
  • 🔒 Safe Transmission: URLs with spaces, quotes, or non-ASCII characters break when shared. Encoding ensures universal compatibility.
  • 📝 Form Submissions: Browser automatically encodes form data before sending to server (application/x-www-form-urlencoded).
  • 🔍 Search Queries: Spaces become `%20` or `+` in search URLs. Special characters in searches must be encoded.
  • 🌐 International URLs: Non-ASCII characters (Chinese, Arabic, emojis) become percent-encoded for RFC 3986 compliance.
  • 📊 API Parameters: REST APIs require encoded query parameters. JSON or XML in URL parameters must be encoded.
  • 🔗 Shareable Links: Email clients and messaging apps handle encoded URLs reliably. Raw URLs with spaces break.
  • 🛡️ Security: Prevents injection attacks. User input in URLs must be encoded to prevent malicious characters.
URL Encoding Examples: 
Space: " " → %20
Exclamation: "!" → %21
Question Mark: "?" → %3F
Ampersand: "&" → %26
Equals: "=" → %3D
Forward Slash: "/" → %2F
Colon: ":" → %3A
At Symbol: "@" → %40
Hash: "#" → %23

URL Character Encoding Reference

CharacterEncodedCharacterEncodedCharacterEncodedCharacterEncoded
space%20!%21"%22#%23
$%24%%25&%26'%27
(%28)%29*%2A+%2B
,%2C-%2D.%2E/%2F
0-9%30-%39:%3A;%3B<%3C
=%3D>%3E?%3F@%40
A-Z%41-%5A[%5B\%5C]%5D
^%5E_%5F`%60a-z%61-%7A
{%7B|%7C}%7D~%7E

Unreserved characters (A-Z, a-z, 0-9, -, _, ., ~) don't need encoding. All other characters require percent encoding.

encodeURIComponent vs encodeURI: Key Differences

encodeURIComponent()

Encodes ALL special characters including / ? & #. Use for encoding query parameter values, form data, and any user input placed in URLs.

encodeURIComponent("hello world?q=test") 
→ "hello%20world%3Fq%3Dtest"

When to use: Query parameter values, POST form data, hash fragments, user input in URLs.

encodeURI()

Preserves URL structure characters (/ ? & #). Use for encoding entire URLs while keeping them valid.

encodeURI("https://example.com/search?q=hello world") 
→ "https://example.com/search?q=hello%20world"

When to use: Full URLs, redirect URLs, href attributes, when you need to keep URL structure intact.

Critical Difference:

Using `encodeURIComponent()` on a full URL breaks it (encodes / and ?). Using `encodeURI()` on a query parameter value leaves special characters unencoded, causing parsing errors. Choose based on what you're encoding!

12 Costly URL Encoding Mistakes

Mistake #1: Using encodeURIComponent on Full URLs

encodeURIComponent("https://example.com") → "https%3A%2F%2Fexample.com" (broken). Use encodeURI() for full URLs to preserve :// and /.

Mistake #2: Using encodeURI on Query Parameters

encodeURI("hello&world") → "hello&world" (ampersand unencoded). Use encodeURIComponent() for parameter values to encode &, =, #, ?.

Mistake #3: Double Encoding

encodeURIComponent("hello%20world") → "hello%2520world" (% becomes %25). Check if data is already encoded before encoding again.

Mistake #4: Forgetting to Decode Before Display
Mistake #5: Not Encoding Spaces as %20

Some systems accept + for spaces (form data), but RFC 3986 requires %20. Use %20 for standard URL encoding, + for application/x-www-form-urlencoded.

Mistake #6: Encoding Already Safe Characters

A-Z, a-z, 0-9, -, _, ., ~ don't need encoding. Encoding them increases length without benefit. Only encode unsafe characters.

Mistake #7: Not Handling Unicode Correctly

Non-ASCII characters (é, ñ, 😀) need UTF-8 encoding first, then percent encoding. Our tool handles UTF-8 automatically.

Mistake #8: Forgetting to Encode Hash (#) in Fragments

Hash in URL fragment (after #) doesn't need encoding. Hash in query parameter value MUST be encoded as %23.

Mistake #9: Inconsistent Encoding in API Design

Some APIs expect + for space, others expect %20. Document your encoding standard. Most REST APIs use %20.

Mistake #10: Not Encoding User Input in Redirect URLs

Unencoded user input in redirect URLs enables open redirect vulnerabilities. Always encode redirect parameters.

Mistake #11: Assuming + is Always Space

In URL paths, + is literal plus sign. Only in query strings (application/x-www-form-urlencoded) does + represent space. Use %20 for standard URL encoding.

Mistake #12: Not Testing Edge Cases

Test encoding with special characters: spaces, ampersands, equals, hashes, non-ASCII, emojis. Each can break if encoded incorrectly.

Real-World URL Encoding Applications

Search Queries

Google search: "https://www.google.com/search?q=url+encoding+tutorial". Spaces become + or %20. Special characters like & become %26.

Mailto Links

`mailto:user@example.com?subject=Hello%20World&body=Check%20this%20out` — spaces and special characters in subject/body must be encoded.

Social Media Sharing

Twitter share URL: `https://twitter.com/intent/tweet?text=Check%20this%20out&url=https%3A%2F%2Fexample.com`. Text and URL parameters must be encoded.

REST API Parameters

`GET /api/search?q=hello%20world&filter=active%3Dtrue` — query parameter values require encodeURIComponent encoding.

Share Buttons

Facebook, LinkedIn, Pinterest share URLs require encoded page titles, descriptions, and URLs for clean sharing.

Database URL Fields

Storing raw user input in URL fields can break applications. Always encode before storage or decode before display.

You Might Also Like These Developer Tools

Base64 Encoder/Decoder JSON Formatter Color Converter URL Slug Generator Schema Generator

Frequently Asked Questions About URL Encoding

What is URL encoding and why is it needed?
URL encoding (percent encoding) converts special characters into a safe format for URLs. URLs can only contain ASCII characters from a limited set (A-Z, a-z, 0-9, -, _, ., ~). Spaces, quotes, ampersands, equals, and non-ASCII characters must be encoded as %XX. Without encoding, URLs break or are misinterpreted by web servers.
What's the difference between encodeURI and encodeURIComponent?
encodeURI() preserves URL structure characters (:/?#[]@) — use for full URLs. encodeURIComponent() encodes ALL special characters including /?& — use for query parameter values, form data, and user input. Example: encodeURI("https://example.com?q=hello world") preserves the URL. encodeURIComponent("hello world?q=test") encodes everything.
When should I use %20 vs + for spaces?
Use %20 for standard URL encoding (RFC 3986) — works everywhere. Use + for application/x-www-form-urlencoded content type (HTML form submissions). Most modern systems accept both, but %20 is the standard. When in doubt, use %20 for maximum compatibility.
Does URL encoding work with non-English characters?
Yes! Non-ASCII characters (é, ñ, ü, ç, 中文, العربية, 😀) are first converted to UTF-8 bytes, then percent-encoded. Example: "café" → "caf%C3%A9" (é is 0xC3 0xA9 in UTF-8). Our tool handles UTF-8 automatically for both encoding and decoding.
What's the maximum URL length after encoding?
URL length limits vary by browser: Chrome (2MB), Firefox (64KB), Safari (80KB), IE (2KB). Encoding expands characters (space 1→3 bytes). A 1000-character string becomes ~3000 characters encoded. Keep URLs under 2000 characters for cross-browser compatibility.
How do I encode form data correctly?
HTML forms with method="GET" automatically encode data in URL. JavaScript fetch API: use encodeURIComponent on each parameter value. Example: `?name=${encodeURIComponent(name)}&email=${encodeURIComponent(email)}`. For POST forms with application/x-www-form-urlencoded, the browser handles encoding automatically.
Why does my decoded text show � (replacement character)?
The � character indicates invalid UTF-8 sequence. Possible causes: decoding non-UTF-8 data as UTF-8, double-decoding, or corrupt input. Ensure your input is correctly encoded. Our tool uses UTF-8 decoding — if you see �, the original encoding wasn't UTF-8 or the input is corrupted.
How do I encode a URL for mailto links?
Use encodeURIComponent for subject and body parameters. Example: `mailto:user@example.com?subject=${encodeURIComponent("Hello World")}&body=${encodeURIComponent("Check this out")}`. This ensures spaces, line breaks, and special characters work correctly in email clients.
Does this tool work on mobile devices?
Yes! The URL encoder/decoder is fully responsive and works on phones, tablets, and desktops. Switch between encode/decode modes, choose encoding type, and get results instantly. Perfect for debugging API calls on the go.
Is this URL encoder/decoder really free?
Yes, completely free! No sign-up, no credit card, no hidden fees. No limits on how much data you encode or decode. We keep it free through non-intrusive advertising that respects your privacy. Your data never leaves your browser — we don't store or log anything. Use it for web development, API testing, or form data handling.

Encode & Decode URLs Instantly

Free URL encoder/decoder for web developers. Encode special characters and decode percent-encoded strings.

Explore All Developer Tools

Tyzo

Free online tools for SEO, business, image, and developer workflows with a privacy-first experience built around local browser processing.

Explore

All Tools Privacy Policy Terms Contact

Why people trust Tyzo

Tyzo is designed for people who want fast utility without unnecessary data collection or sign-up friction.

No signup required for everyday use.
Local-first processing model across supported tools.
Privacy and cookie controls presented clearly.
© 2026 Tyzo. Built for practical work with a privacy-first mindset.