URL Encode and Decode Tool
Encode or decode URL text by context, compare percent escapes and plus-as-space behavior, and catch round-trip problems before copying or opening.{{ outputText }}
| # | Input token | Class | UTF-8 | Converted token | Copy |
|---|---|---|---|---|---|
| {{ row.index }} | {{ row.inputDisplay }} | {{ row.classLabel }} | {{ row.utf8 }} | {{ row.outputDisplay }} |
| # | Key | Value | Status | Copy |
|---|---|---|---|---|
| {{ row.index }} | {{ row.key }} | {{ row.value }} | {{ row.status }} {{ row.detail }} |
| Check | Status | Detail | Copy |
|---|---|---|---|
| {{ row.check }} | {{ row.status }} | {{ row.detail }} |
Introduction:
A URL has to do two jobs at once. It identifies a resource, and it carries pieces of data such as search terms, tracking labels, callback addresses, form fields, and fragment targets. Some characters belong to the URL's structure, while others are just the value being transported. Encoding is the boundary between those two roles.
Percent-encoding writes a byte as a percent sign followed by two hexadecimal digits. A space often becomes %20, and a non-ASCII character usually becomes several percent triplets because modern URLs commonly encode text as UTF-8 bytes first. The visible length of a URL can grow quickly even when the original text is short.
Context is the part that causes most mistakes. A slash is a path separator in a full URL, but it may need to be protected inside one path segment. An ampersand separates query parameters, but it should be encoded when it is part of a search phrase. A plus sign can mean a literal plus in one place and a space in form-style data.
Nested URLs add another trap. Redirect parameters, OAuth return values, analytics links, and QR payloads often contain one encoded URL inside another. A value such as %252F decodes first to %2F, then to /. The second pass can be useful for inspection, but it can also expose a separator that was intentionally kept inside a value.
| Context | Usually Structural | Common Mistake |
|---|---|---|
| Full URL | The scheme, host, path slashes, ?, &, =, and # |
Encoding the whole address as one value and breaking the link structure. |
| Query value | The surrounding query syntax, not the text inside the value. | Leaving & or = raw when the text should stay inside one field. |
| Path text | Slash separators only when they truly divide path segments. | Decoding %2F and turning one segment into two. |
| Form data | & and = between key-value pairs. |
Misreading a raw + as literal data when the form convention uses it for space. |
Decoding makes a URL easier to inspect, but readability is not the same as safety. A decoded link can reveal a hidden destination, a suspicious redirect, or a malformed parameter. It still needs a scheme, host, path, and Unicode review before it is opened or shared.
How to Use This Tool:
Start with the role of the text you pasted. A complete URL, one query value, a path, and a form body need different encoding rules.
- Paste a URL, URL component, query string, form value, path, or batch of lines into Text, URL, or query string. The default sample is local and changes as you type.
- Choose Operation. Auto detect decodes when it sees valid percent escapes, or plus signs in a form/query context, and otherwise encodes the source text.
- Set URL context to match the text's job. Use Full URL for an existing link, Component for one value, Path for slash-separated path text, Form value for one form field, and Query string for a full key-value body.
- Switch Line handling to batch mode when each non-empty line should be converted separately. Keep single mode when line breaks are part of the value being encoded or decoded.
- Open Advanced for nested percent escapes, literal plus signs, copied whitespace, Unicode normalization, strict RFC 3986 escaping, or existing
%XXsequences that should not be double-encoded.Use one decode pass for ordinary URLs. Increase Decode depth only when the first result still contains intentional nested escapes. - Read any Fix URL codec input or Review conversion context alert before copying. Malformed percent signs, suspicious context choices, and long outputs need review.
- Compare Converted Text with Character Audit, Query/Form Ledger, Escape Mix, and Round-trip Checks when the result will go into code, logs, tickets, requests, or documentation.
Open URL is only appropriate after the converted value is an expected
httporhttpsaddress and the host is the destination you intended. - Copy or download the result after the round-trip and context checks agree with the way the value will be reused.
Interpreting Results:
The summary gives the converted value in shortened form, input and output character counts, the resolved operation, the selected context, visible percent-escape count, and single or batch mode. Count changes are normal. One readable Unicode character can become several encoded bytes, while several percent triplets can decode into one character.
Converted Text is the value to reuse. Character Audit explains the first tokens by class, bytes, and converted token. Query/Form Ledger splits query or form pairs when the result can be parsed that way. Escape Mix counts characters, percent escapes, reserved delimiters, plus signs, and Unicode input. Round-trip Checks is the main review surface for malformed escapes, likely double encoding, plus-sign handling, URL length, and context fit.
- Pass means the selected setting did not reveal an obvious conversion issue. It does not certify that a URL is safe.
- Review usually means the context, malformed escape handling, plus-sign rule, or round-trip result needs human inspection.
- Warn on URL length means the result is long enough to run into client, proxy, server, or logging limits.
- Unexpected extra rows in Query/Form Ledger often mean a raw
&or=split text that was supposed to remain inside one value. - A complete URL encoded in Component mode will begin with text such as
https%3A%2F%2F. That is correct for embedding a URL as data, but wrong when the output should remain a clickable address.
Technical Details:
URI syntax separates reserved characters from unreserved characters. Unreserved characters such as letters, digits, hyphen, period, underscore, and tilde can usually remain readable. Reserved characters such as /, ?, #, &, and = can change the parse tree of a URL, so whether they stay literal depends on their context.
Percent-encoding works on bytes, not abstract characters. Text is prepared, optionally normalized, represented as UTF-8 bytes, and then escaped where the selected context requires it. Decoding reverses visible triplets into bytes and then text. Best-effort fallback keeps malformed percent prefixes visible so inspection can continue instead of silently discarding the confusing part.
Context Map
| Context | Encode Behavior | Best Fit |
|---|---|---|
| Full URL | Preserves normal URL syntax delimiters while escaping unsafe text. | Existing links with a scheme, host, path, query, and fragment. |
| Component | Escapes reserved delimiters, including /, ?, &, and =. |
One query value, token, fragment value, or path segment. |
| Path | Encodes path text while keeping slash separators readable. | Readable path strings such as /docs/api v2/intro. |
| Form value | Uses form-style spacing, where a space can be written as +. |
One field value for application/x-www-form-urlencoded data. |
| Query string | Preserves & and = between pairs while encoding names and values. |
Whole query strings or form bodies such as a=1&b=two words. |
Transformation Rules
| Stage | Rule | Why It Matters |
|---|---|---|
| Prepare text | Outer whitespace can be trimmed, batch mode converts each non-empty line, and Unicode can be kept as-is or normalized to NFC or NFKC. | Copied links may include accidental spaces, and visually similar Unicode text may compare differently. |
| Resolve direction | Auto mode decodes visible %HH escapes, or plus signs when form/query settings treat plus as a space. |
Mixed batch inputs can resolve to mixed directions, so each row should be checked before reuse. |
| Encode | The selected context decides which reserved delimiters remain literal. Strict RFC 3986 mode also escapes !, ', (, ), and *. |
Component encoding protects values from splitting the surrounding URL. |
| Preserve escapes | Existing valid %XX sequences can be preserved during encode, then normalized to uppercase, lowercase, or original case. |
Preservation helps avoid turning a valid %2F into %252F. |
| Decode | Decode depth can repeat from 1 to 8 passes and may treat raw + as a space for form-style text. |
Extra passes reveal nested values, but they can also expose separators that should remain encoded. |
Common Triplets
| Triplet | Decoded Character | Meaning Risk |
|---|---|---|
%20 | space | Readable in text, but invalid as a raw character in most URL positions. |
%2F | / | Can split one path segment into two segments. |
%3F | ? | Can start a query string. |
%23 | # | Can start a fragment, keeping later text out of the server request. |
%26 and %3D | & and = | Can split query pairs and values. |
%2B | + | Can be literal plus data, while a raw + may mean space in form data. |
Round-trip Checks
| Check | Review Trigger |
|---|---|
| Round trip | Encoded output does not decode back to the prepared source, or decoded output re-encodes with meaningful delimiter or spacing changes. |
| Malformed escapes | A percent sign is not followed by two hexadecimal digits, so fallback decoding leaves invalid pieces visible. |
| Double encoding risk | The source already contains valid percent escapes and preserve mode is off. |
| Plus handling | Form or query semantics are active, so a raw + may be read as a space. |
| URL length | Outputs above 2,000 characters need compatibility review; outputs above 8,000 characters get a stronger warning. |
| Context fit | A complete http or https URL is being encoded as one component. |
Privacy Notes:
Conversion, character audit rows, query parsing, chart counts, round-trip checks, copied text, downloads, and JSON output are produced in the browser from the text you enter. Using Open URL leaves the page and contacts the destination site, so check the scheme and host before opening unfamiliar converted links.
Worked Examples:
A whole search URL
Enter a complete search URL with a scheme, host, path, q=coffee grinder, sort=price desc, and a #reviews fragment. Keep Operation on Auto detect and choose Full URL. The result should keep the URL structure readable while encoding the spaces.
One query value
Enter coffee grinder & burrs, set Operation to Encode, and choose Component. The ampersand should become %26, so the phrase stays inside one query value instead of creating another parameter.
A form body with a literal plus
Enter q=coffee+grinder&email=user%2Btag%40example.com, set Operation to Decode, and choose Query string. The search value should show a space, while the email value should keep the literal plus from %2B.
A nested redirect value
A redirect such as next=https%253A%252F%252Fexample.com%252Fa%2520b needs careful depth. One pass reveals https%3A%2F%2Fexample.com%2Fa%20b; another pass reveals the readable URL. Stop before separators are decoded farther than the surrounding system expects.
FAQ:
Should I choose Full URL or Component?
Choose Full URL for a complete link whose separators should remain URL structure. Choose Component for one value that will be inserted into a larger URL.
Why did plus signs become spaces?
Form and query-string rules can read a raw + as a space. Turn off plus-as-space behavior, or choose a non-form context, when the plus sign is literal data.
When should decode depth be higher than one?
Use a higher depth only when the result still contains intentional nested escapes, such as a redirect URL encoded inside another URL. Stop when the text is readable enough to inspect.
Why preserve existing percent escapes?
Preserving existing escapes keeps valid triplets such as %2F from being encoded again as %252F. Turn it off only when the literal percent signs must be protected too.
What does a malformed percent warning mean?
A percent sign is not followed by two hexadecimal digits. The decoded result is useful for inspection, but the source should be fixed before the value is treated as a clean URL.
Why is Open URL unavailable?
Open URL is available only when the converted value is an absolute http or https URL. Components, relative paths, query strings, and malformed URLs need to be copied into their intended context instead.
Glossary:
- Percent triplet
- A percent sign followed by two hexadecimal digits representing one encoded byte.
- Reserved character
- A character such as
/,?,#,&, or=that can define URL structure. - Unreserved character
- A letter, digit, hyphen, period, underscore, or tilde that can usually remain readable in a URL.
- URL component
- One part of a URL, such as a query value, path segment, or fragment value.
- Query string
- The part after
?where key-value pairs are commonly separated by&. - Form encoding
- The
application/x-www-form-urlencodedconvention where spaces are commonly written as plus signs. - Decode depth
- The number of repeated decode passes applied to percent-encoded text.
- Round-trip check
- A comparison that checks whether encoding and decoding keep the expected value under the current settings.
References:
- RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, RFC Editor, January 2005.
- URL Standard, WHATWG.
- MDN Web Docs: encodeURIComponent(), Mozilla.
- MDN Web Docs: URLSearchParams, Mozilla.