SamCalculator

URL Encode / Decode Tool

Instantly encode and decode URLs, query strings, special characters, and web-safe text directly in your browser with real-time conversion.

Encodes all special characters except: A–Z a–z 0–9 - _ . ! ~ * ' ( )

Related Developer Tools

More utility tools from SamCalculator for developers, security professionals, and power users.

What Is URL Encoding?

URL encoding, formally called percent encoding, is the process of converting characters that are unsafe or reserved in a URL into a format that can be safely transmitted over the internet. Every character that falls outside the set of unreserved characters — letters, digits, hyphens, underscores, dots, and tildes — must be replaced with a percent sign followed by its two-digit hexadecimal UTF-8 code. A space, for example, becomes %20; the Euro sign becomes %E2%82%AC.

URL decoding is the reverse: converting those %XX sequences back into their original characters. Both operations happen constantly in modern web development — every form submission, every API call, every search query. This tool performs both operations instantly in your browser, with zero data sent to any server.

How URL Encoding Works

The Encoding Step

Each character is first converted to its UTF-8 byte representation. Each byte is then written as a percent sign followed by the two uppercase hexadecimal digits of that byte value. A multi-byte character like é (U+00E9) produces two bytes — 0xC3 and 0xA9 — yielding %C3%A9.

The Decoding Step

Each %XX sequence is interpreted as a hexadecimal byte value. Consecutive sequences belonging to a single multi-byte character are grouped and decoded together using UTF-8 to recover the original Unicode code point. If any sequence is malformed (incomplete or non-hex), decoding fails gracefully with an error message.

Reserved vs Unreserved

RFC 3986 splits URL characters into reserved characters that have structural meaning (: / ? # [ ] @ ! $ & ' ( ) * + , ; =) and unreserved characters that are always safe (A–Z a–z 0–9 - _ . ~). Reserved characters must be encoded when they appear inside a value, not as structure.

encodeURI vs encodeURIComponent

encodeURI() encodes a complete URL and preserves structural characters like :/?#. encodeURIComponent() encodes everything except unreserved characters — ideal for encoding individual query parameter values before concatenating them into a URL.

6 Ways Developers Use URL Encoding

01

Building API Requests

Encode query parameter values before appending them to endpoint URLs. Never trust raw user input directly in a URL — spaces and special characters will break the request.

02

Form Submission

HTML forms with method GET encode the form data as application/x-www-form-urlencoded, replacing spaces with + and encoding reserved characters before appending to the URL.

03

Sharing Deep Links

When building share URLs that include dynamic content (search terms, filter states, coordinates), encode the payload so it survives copy-paste, email clients, and social-media link shorteners.

04

OAuth & JWT Tokens

Access tokens, ID tokens, and PKCE code challenges often contain +, /, and = characters from base64. Encode them with encodeURIComponent before placing in a redirect URI.

05

Webhook Payloads

Webhook callback URLs frequently include encoded event metadata or replay tokens. Decode them server-side before parsing to avoid off-by-one errors in signature verification.

06

SEO-Safe Slugs

Non-Latin characters in URL paths (Arabic, Chinese, emoji) must be percent-encoded for full HTTP compatibility. Encoding ensures the slug survives all intermediaries and reverse proxies.

URL Encoding Best Practices

  • Always use encodeURIComponent() on individual query parameter values, never on the full URL.
  • Encode data before inserting it into a URL — not after — to prevent double-encoding bugs.
  • Never encode the structural delimiters (?, &, =, /) that separate URL components.
  • Use the + shorthand for spaces only inside query strings — never inside the path.
  • Prefer uppercase hex digits in percent sequences for strict RFC 3986 compliance (e.g. %2F not %2f).
  • Always decode received URL parameters before using them in database queries or file paths.

Why URL Encoding Matters for Security

Improper URL encoding is not just a compatibility issue — it is a security vulnerability. Missing or double encoding can enable path traversal attacks (%2F/), open redirect exploits, and SSRF (Server-Side Request Forgery). OWASP lists improper URL handling in the top ten web application risks.

On the SEO side, canonicalization inconsistencies caused by mixed encoded and decoded characters in URLs can lead Google to treat the same page as duplicates, splitting PageRank and diluting rankings. Consistent, correct encoding is a foundational technical-SEO requirement.

Tricky Encoding Edge Cases

Double Encoding

Encoding an already-encoded string converts % into %25, turning %20 into %2520. Always check whether your input is already encoded before processing.

The + vs %20 Trap

In query strings, + is widely interpreted as a space. But in URL paths, + is a literal plus sign — only %20 means space. Using + in a path will confuse servers and proxies.

Emoji in URLs

Emoji encode to multi-byte UTF-8, producing long sequences (🚀 = %F0%9F%9A%80). Many link-shorteners and email clients silently truncate URLs at unusual byte boundaries — keep emoji out of paths.

IDN Hostnames

Internationalized domain names like münchen.de are encoded using Punycode (xn--mnchen-3ya.de), not percent-encoding. Do not percent-encode the hostname — only the path and query components.

Fragment Encoding

The URL fragment (#section) is processed by the browser only — it is never sent to the server. Encoding issues in fragments typically break client-side anchor navigation rather than server-side routing.

Core Encoding Rules

MethodPreservesEncodesBest For
encodeURI(): / ? # [ ] @ ! $ & ' ( ) * + , ; = ~ - _ .Spaces, non-ASCII, control charsFull URLs
encodeURIComponent()A–Z a–z 0–9 - _ . ! ~ * ' ( )All reserved chars, spaces, non-ASCIIQuery values, path segments
RFC 3986 StrictA–Z a–z 0–9 - _ . ~Everything else, including ! ' ( ) *OAuth, JWT, strict APIs
Query String (+ spaces)A–Z a–z 0–9 - _ . ! ~ * ' ( )Reserved chars; spaces become +HTML form GET submissions
Form DataA–Z a–z 0–9 - _ . ~All reserved chars; spaces become +HTML form POST, fetch body

Common URL Encoding Mistakes

Mistake

Encoding the full URL with encodeURIComponent()

Fix: Only use encodeURIComponent() on individual values — it will destroy the : and // in the protocol.

Mistake

Forgetting to encode square brackets [ ]

Fix: RFC 3986 reserves [ ] for IPv6 literals only. In query values, encode them as %5B and %5D.

Mistake

Using + for spaces in URL paths

Fix: Paths only recognize %20 as a space. The + symbol is literal in path context — only use + in query strings.

Mistake

Not encoding & inside attribute values

Fix: In HTML attributes, & must be & and query strings must be fully encoded before embedding in href.

Mistake

Double-decoding user input on the server

Fix: Decode exactly once. Decoding twice can let attackers sneak in %2500 → %00 → null byte injections.

Mistake

Assuming ASCII-only URLs are safe

Fix: Many browsers silently encode non-ASCII path characters differently. Always encode explicitly rather than relying on browser behavior.

100% Private — No Data Leaves Your Browser

Every encoding and decoding operation in this tool is performed using the JavaScript encodeURIComponent, decodeURIComponent, and URL APIs built directly into your browser. No text, URL, or API key you enter here is ever transmitted to SamCalculator servers or any third party. Your data is processed locally and disappears when you close the tab.

Frequently Asked Questions

URL encoding, also called percent encoding, converts characters that are unsafe or have special meaning in a URL into a percent sign followed by two hexadecimal digits representing the UTF-8 byte value of the character. A space (ASCII 32, hex 0x20) becomes %20; the Euro sign (€, U+20AC) becomes %E2%82%AC because it requires three UTF-8 bytes. This ensures the URL is safely transmitted across all HTTP intermediaries, browsers, and servers regardless of character set support.

URLs can only safely contain a limited set of printable ASCII characters. Characters outside this set — including spaces, accented letters, emoji, Chinese characters, and mathematical symbols — must be encoded or they corrupt the URL structure during transmission. Reserved characters like ?, &, =, #, and / have structural meaning in URLs; when they appear as data values inside a parameter, they must also be encoded to prevent the URL parser from misinterpreting them as structural delimiters.

URL decoding is the reverse of URL encoding: it converts percent-encoded sequences like %20, %26, and %C3%A9 back into their original characters. Servers automatically decode URL parameters before passing them to application code, but developers often need to manually decode values for debugging, API testing, logging, or when working with raw HTTP request data. This tool decodes any percent-encoded string instantly in your browser.

Characters that must be encoded include: spaces, control characters (0x00–0x1F and 0x7F), non-ASCII characters (anything above U+007F), and reserved characters when used as data rather than URL structure. The reserved characters are: : / ? # [ ] @ ! $ & ' ( ) * + , ; =. The unreserved characters that never need encoding are: A–Z, a–z, 0–9, hyphen (-), underscore (_), period (.), and tilde (~). Everything else should be percent-encoded for maximum compatibility.

Percent encoding is the official technical name for URL encoding, defined in RFC 3986. The process has two steps: first, convert the character to its UTF-8 byte sequence; second, write each byte as a percent sign (%) followed by two uppercase hexadecimal digits. Single-byte ASCII characters like @ produce one sequence (%40); multi-byte Unicode characters produce multiple sequences — for example, é (U+00E9) produces two UTF-8 bytes 0xC3 and 0xA9, yielding %C3%A9.

RFC 3986 (Uniform Resource Identifier: Generic Syntax) is the Internet Engineering Task Force standard published in January 2005 that precisely defines how URIs and URLs are structured, parsed, and encoded. It replaced the earlier RFC 2396 (1998) and RFC 1738 (1994). RFC 3986 defines three character classes: unreserved characters (always safe as-is), reserved characters (have structural meaning, must be encoded when used as data), and all others (must always be percent-encoded). JavaScript's encodeURIComponent() follows RFC 3986 closely but does not encode the characters ! ' ( ) *, which strict RFC 3986 requires.

Yes. Unicode characters are first converted to their UTF-8 byte representation, then each byte is percent-encoded. For example, the Chinese character 中 (U+4E2D) has three UTF-8 bytes — 0xE4, 0xB8, 0xAD — yielding %E4%B8%AD. Emoji, which use 4-byte UTF-8 sequences, produce four percent-encoded groups: 🚀 (U+1F680) becomes %F0%9F%9A%80. Modern browsers handle this automatically in the address bar, but always encode explicitly when constructing URLs programmatically to guarantee cross-platform compatibility.

No — they are completely different encoding schemes for different purposes. URL encoding (percent encoding) converts specific characters to %XX sequences and is designed to make arbitrary text safe for use inside URLs. Base64 encoding converts arbitrary binary data into a string of 64 printable ASCII characters and is used for transmitting binary data in text-only systems like email or JSON. Base64 output itself often needs URL encoding because it contains +, /, and = characters that have structural meaning in URLs — this is why URL-safe base64 variants replace + with - and / with _.

A URI (Uniform Resource Identifier) is any string that uniquely identifies a resource. A URL (Uniform Resource Locator) is a URI that additionally specifies the mechanism to access the resource — it includes the scheme (https://), authority (domain name), and path. All URLs are URIs, but not all URIs are URLs. A URN (Uniform Resource Name) like urn:isbn:9780131103627 is a URI that names a resource without telling you where to find it. In everyday web development, the terms URL and URI are often used interchangeably since most identifiers encountered in HTTP work are also locators.

encodeURI() is designed to encode a complete, already-formed URL. It preserves the structural characters : / ? # [ ] @ ! $ & ' ( ) * + , ; = that give a URL its meaning, so https://example.com/path?q=hello stays intact. encodeURIComponent() encodes everything except the unreserved characters A–Z a–z 0–9 - _ . ! ~ * ' ( ), making it ideal for encoding individual query parameter values or path segments before embedding them in a URL. Use encodeURI() on complete URLs; use encodeURIComponent() on values that will be placed inside a URL.

Paste the encoded URL or string into the Input field on this tool, select the matching encoding method (URI Component for most query values, Query String if spaces appear as +), and click 'Decode URL'. For single characters, the Reference tab shows the decoded value for every common percent sequence. In JavaScript, use decodeURIComponent() for parameter values or decodeURI() for full URLs. In Python, use urllib.parse.unquote(encoded_string). In Java, use URLDecoder.decode(str, StandardCharsets.UTF_8). Always catch the URIError / IllegalArgumentException that is thrown when the input contains malformed percent sequences.