URL Encode and Decode Tool

Current conversion

Raw %XX URL

Fix URL codec input

{{ message }}

Review conversion context

{{ message }}

Text, URL, or query string:

Default example is safe and local; conversion updates as you type.

Operation:

Choose encode, decode, or let the tool infer the direction from visible escapes.

URL context:

Use component for query values, full URL for existing links, path for slash-separated paths, and form/query modes for key-value payloads.

Line handling:

Switch to batch when checking several URLs or components at once.

All encoding and decoding stays in this browser.

Decode depth: {{ boundedDecodeDepth }} pass{{ boundedDecodeDepth === 1 ? '' : 'es' }}

Use one pass for normal URLs; increase only when the output still contains intentional nested percent escapes.

passes

Treat + as space on decode:

On matches HTML form/query decoding; off keeps literal plus signs unless they appear as %2B.

Unicode normalization:

Leave unchanged unless you need NFC/NFKC-normalized Unicode for matching.

Percent escape case:

Uppercase is conventional and easiest to compare in logs.

Trim outer whitespace:

On is useful for copied links; off preserves exact pasted text.

Preserve existing %XX escapes:

On keeps %2F-style escapes during encode; off converts the percent sign to %25.

Strict RFC 3986 escapes:

On is best for interoperability; off mirrors native JavaScript encoder output.

{{ outputText }}

Character-by-character URL codec audit
#	Input token	Class	UTF-8	Converted token	Copy
{{ row.index }}	{{ row.inputDisplay }}	{{ row.classLabel }}	{{ row.utf8 }}	{{ row.outputDisplay }}

Decoded query or form key value rows
#	Key	Value	Status	Copy
{{ row.index }}	{{ row.key }}	{{ row.value }}	{{ row.status }} {{ row.detail }}

URL codec round trip and context checks
Check	Status	Detail	Copy
{{ row.check }}	{{ row.status }}	{{ row.detail }}

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

URL encoding turns characters that cannot safely travel in a URL into percent triplets such as %20, %2F, and %3D. Decoding reverses those triplets into readable text. The hard part is context: a character that is harmless inside a query value can be structural inside a full URL.

Reserved characters such as /, ?, #, &, and = separate URL parts. Encoding a full URL should usually preserve those separators, while encoding a component or query value should protect them so user text cannot accidentally become URL syntax. Form-style data adds another rule because a raw plus sign can represent a space in query or form values.

Nested encoding is common in redirects, analytics links, QR codes, and copied parameters. One pass can turn %252F into %2F, while another pass turns it into /. More passes are not automatically better because decoding too far can expose separators that were meant to remain data.

Readable output is not a safety signal. A decoded URL still needs its scheme, host, path, query keys, and suspicious Unicode characters checked before it is opened or shared. Encoding helps data travel through URL syntax; it does not validate trust.

How to Use This Tool:

Choose the URL context first, then inspect the converted text and checks for structural changes.

Paste a URL, component, path, form value, query string, or multiple values into Source text. The default sample is local and safe for testing.
Set Operation to Auto detect, Encode, or Decode. Auto mode decodes visible percent escapes and otherwise encodes with the selected context.
Choose URL context. Use Full URL when separators should remain URL structure, Component for query values, Path for slash-separated paths, and form or query modes for key-value payloads.
Set Line handling to single value or batch line by line. Batch mode converts each non-empty line separately and joins results with line breaks.
Open Advanced for decode depth, plus-as-space behavior, Unicode normalization, percent escape case, outer whitespace trimming, existing escape preservation, and strict RFC 3986 escaping.
Review Converted Text, then use Character Audit, Query/Form Ledger, Escape Mix, Round-trip Checks, and JSON when the result will be copied into code, logs, requests, or documentation.
Use Open URL only after the output is an expected http or https URL and the host is the intended destination.

If the tool asks for input, paste at least one non-empty value. If warnings mention malformed percent escapes or component mode on a full URL, fix the text or switch context before using the output.

Interpreting Results:

The summary shows a shortened version of the converted output, the input and output character counts, the resolved operation, the URL context, escape count, and single or batch mode. Count changes are normal because one readable character can become several percent-encoded bytes, and several percent triplets can decode into one Unicode character.

Converted Text is the value to copy or download. Character Audit explains the first tokens by class, UTF-8 bytes, and converted token. Query/Form Ledger splits query or form pairs from the converted text when it can find them. Round-trip Checks is the best false-confidence guard because it reports malformed escapes, double-encoding risk, plus handling, length, and context fit.

Pass means the check found no obvious issue under the current settings, not that the URL is safe.
Review usually means a context, plus sign, malformed escape, or round-trip detail needs human attention.
Warn on URL length means the output is long enough to hit limits in older clients or some servers.
If Component mode encodes a full URL, separators such as : and / become data. Switch to Full URL when you need the link structure preserved.

Technical Details:

Percent-encoding represents bytes as %HH, where HH is hexadecimal. Modern URL APIs encode Unicode text as UTF-8 bytes before producing those triplets. Decoding reverses the byte sequence back to text where possible, but malformed or partial triplets cannot be treated the same as valid byte escapes.

The selected URL context determines the safe set. Full URL mode preserves structural delimiters so an existing link stays a link. Component mode encodes those delimiters because the text is meant to live inside one URL component. Path mode preserves slash separators after component-style encoding. Form value and query string modes use form-style space handling, where spaces can become plus signs and plus signs may decode as spaces.

Transformation Core:

URL encoding and decoding transformation stages
Stage	Rule	Review Point
Prepare input	Optional outer whitespace trimming runs before conversion; batch mode removes empty lines from the conversion set.	Character counts use the prepared source.
Resolve operation	Auto mode decodes when percent escapes are visible, or when plus-as-space rules indicate form-like data.	Mixed batch lines can resolve to mixed operation.
Encode	Selected context chooses which URL separators remain literal; strict mode additionally escapes selected RFC 3986 reserved marks.	Round-trip check catches obvious double-encoding risk.
Decode	One to eight passes decode valid percent bytes and optionally treat plus as space.	More passes can reveal structure that was intended to stay encoded.
Audit	Character rows, query/form rows, escape mix, and checks are built from the converted text and settings.	Use these rows before opening or copying unfamiliar URLs.

Context Map:

URL context encoding differences
Context	Encode Behavior	Best Fit
Full URL	Preserves URL syntax delimiters while escaping unsafe characters.	Existing links such as `https://example.com/search?q=a b`.
Component	Escapes reserved separators such as `/`, `?`, `&`, and `=`.	One query value, path segment, or token.
Path	Encodes path text but keeps slash separators.	Readable paths with spaces or Unicode labels.
Form value	Encodes spaces as `+` and decodes plus as space by default.	HTML form-style field values.
Query string	Preserves `&` and `=` between pairs while encoding keys and values.	Whole query strings or form bodies.

Triplets That Commonly Change Meaning:

Common percent triplets and URL meaning
Triplet	Decoded Character	Why It Matters
`%20`	space	Readable in text, but must be encoded again inside most URLs.
`%2F`	`/`	Can split one path segment into two segments.
`%3F`	`?`	Can start a query string.
`%23`	`#`	Can start a fragment and hide the rest from the server request.
`%26` and `%3D`	`&` and `=`	Can split query pairs and values.
`%2B`	`+`	Can be literal plus data; raw `+` may decode as a space in form contexts.

Worked Mechanism Path:

Nested URL encoding and decoding path
Step	Example State	Meaning
Source	`q=coffee+grinder&redirect=https%3A%2F%2Fexample.com%2Fa%2520b`	A query string has form spaces and a nested encoded redirect value.
One decode pass	`q=coffee grinder&redirect=https://example.com/a%20b`	Plus becomes space, and the redirect URL becomes readable but still contains an encoded space.
Second decode pass	`q=coffee grinder&redirect=https://example.com/a b`	The nested space is visible, but it must be re-encoded before using that URL literally.
Encode as query string	`q=coffee+grinder&redirect=https%3A%2F%2Fexample.com%2Fa+b`	Keys and values are encoded while pair separators remain.

Privacy Notes:

Encoding, decoding, character audit, query parsing, chart rows, checks, and JSON output are produced in the browser from the text you enter. Opening a converted URL leaves the page and contacts the destination site, so do not use Open URL until the host and scheme are expected.

Worked Examples:

Full URL with spaces. Enter https://example.com/search?q=coffee grinder&sort=price desc, choose Full URL, and encode. Converted Text should keep https://, ?, and & as structure while encoding spaces in the query values.

One query value. Enter coffee grinder & burrs with Component selected. The ampersand should become encoded data instead of splitting a query string.

Form body decode. Enter q=coffee+grinder&email=user%2Btag%40example.com with Query string or form body. Query/Form Ledger should show the search value with a space and the email value with a literal plus from %2B.

Double-encoding repair. If Round-trip Checks reports double-encoding risk, turn Preserve existing %XX escapes on before encoding source text that already contains valid percent triplets.

FAQ:

Should I choose Full URL or Component?

Choose Full URL for an existing link whose separators should remain structure. Choose Component for one value that will be inserted into a URL.

Why does Auto detect decode my text?

Auto mode decodes when it sees valid percent escapes, or when plus-as-space rules indicate form-like data. Choose Encode or Decode manually when the direction must be fixed.

Why did plus signs turn into spaces?

Treat + as space on decode is on, or the selected context uses form/query semantics. Turn it off for paths, tokens, or values where + is literal data.

What does fallback decoding mean?

The input contains malformed or partial percent escapes. Valid percent-byte groups are decoded where possible, and invalid pieces remain visible for review.

Does decoded output mean the URL is safe?

No. Decoding only changes representation. Check the host, scheme, path, query pairs, and round-trip warnings before opening or sharing the result.

Glossary:

Percent triplet: A percent sign followed by two hexadecimal digits representing one encoded byte.
Reserved character: A character such as /, ?, #, &, or = that can define URL structure.
URL component: One part of a URL, such as a query value or path segment.
Form value: Text encoded with form-style rules where spaces commonly become plus signs.
Decode depth: The number of repeated decode passes applied to percent-encoded text.
Round-trip check: A review row that compares encode and decode behavior under the current settings.

References:

RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, IETF, January 2005.
URL Standard, WHATWG.
encodeURI(), MDN Web Docs.
URLSearchParams, MDN Web Docs.