Uniform Resource Locator (URL) Encoder
Encode URLs, URL components, form values, and path fragments into safe percent-escaped output with character-level review, QR handoff, and exportable results.{{ summaryTitle }}
{{ mainOutput }}
| # | Input | Class | UTF-8 bytes | Encoded | Copy |
|---|---|---|---|---|---|
| {{ row.idx }} | {{ row.charDisplay }} | {{ row.classLabel }} | {{ row.utf8 }} | {{ row.encodedDisplay }} |
| Key | Decoded value | Copy |
|---|---|---|
| {{ row.key }} | {{ row.value }} | |
| No query parameters | ||
Introduction:
A percent-encoded URL keeps special characters safe in transit, but it also hides where a link really goes. A copied string full of %2F, %3F, %26, repeated query keys, or an xn-- hostname is harder to judge quickly. This page turns that encoded text back into something you can inspect, clean, and reuse without losing the final shareable result.
The input can be a full link, a host and path without a scheme, or plain text that only looks URL-like. After decoding and cleanup, the result settles into one of two modes. When the output still behaves like a URL, the page highlights the host, path, query count, and surviving parameters. When it does not, the character and payload views stay useful for reading suspicious text, tokens, or encoded fragments that never become a navigable link.
That mix is useful when one pass is never enough. A redirect target may need two or three decode rounds before the hidden path appears. A campaign link may need tracker stripping, duplicate handling, and fragment removal before it is worth sharing. A suspicious parameter may turn out to be Base64 or JSON instead of plain text. The page keeps those jobs together so you do not have to bounce between separate decoders, query inspectors, and export utilities.
All processing stays in the browser session. That improves privacy when you are checking internal links, callback URLs, or copied payloads. It does not make the destination trustworthy. A cleaner link can still point to the wrong site, and a decoded payload can still contain sensitive data or misleading instructions.
Technical Details:
RFC 3986 treats percent-encoding as a way to represent octets inside a URI. That matters because not every decoded character is harmless. Letters, digits, hyphen, period, underscore, and tilde are unreserved characters, so decoding them normally just improves readability. Reserved characters such as /, ?, #, &, and = can change the structure of the address once they reappear. The Character Audit makes that distinction visible for the final output rather than the original raw string.
Decoding here is iterative, not one-shot. The page can run several decode passes in sequence, with an optional form-style rule that treats plus signs as spaces before each pass. That extra rule is useful for copied query data, but it is not a universal URL rule, so it stays opt-in. If decoding fails because the escape pattern is malformed, the page falls back to the original input instead of emitting a partly decoded string that could mislead you.
URL recognition comes after decoding. If the text already has a scheme, it is parsed directly. If it looks like a hostname with a path or query but no scheme, the page temporarily assumes an HTTPS base so it can inspect host, path, and parameters. When the original string had no scheme, the rebuilt output is written back without inventing one. That lets you review a host and path cleanly while preserving the original shape of a scheme-less input.
Normalization then runs in a consistent order. The page can force http or https, convert internationalized hostnames to readable Unicode, strip embedded credentials, remove common tracker keys, drop empty parameters, deduplicate repeated keys, sort surviving parameters, remove fragments, normalize dot segments, collapse repeated slashes, lowercase the host, remove a leading www., trim trailing slashes, remove default ports, and standardize the case of percent escapes. Unicode text can also be normalized to NFC or NFKC before parsing. NFC helps equivalent text compare more consistently, while NFKC can fold compatibility characters and therefore deserves a deliberate choice.
| Stage | What the page does | Why it matters |
|---|---|---|
| Decode passes | Repeatedly decodes percent escapes until the text settles or the chosen depth is reached. | Reveals double-encoded paths like %252F that need more than one pass. |
| URL shape check | Parses either a full URL or a host-plus-path string that looks like a URL even without a scheme. | Decides whether the result should open URL-focused views or stay in component inspection mode. |
| Query cleanup | Removes tracker keys, drops empty values, keeps the first or last repeated key, or keeps unique values only. | Lets you compare the real payload of a query string instead of its clutter. |
| Host and path cleanup | Adjusts scheme, host case, www., default ports, dot segments, repeated slashes, fragments, and trailing slashes. |
Makes near-equivalent links easier to compare and safer to copy into tickets or documents. |
| Inspection and export | Builds a parameter table, a character map, structured payload preview, QR image, and JSON summary. | Supports review, handoff, and record keeping without re-entering the data somewhere else. |
| Option group | Typical effect | Use with care when |
|---|---|---|
| Tracker stripping | Removes built-in marketing and referral keys such as utm_*, gclid, fbclid, msclkid, trk, campaign, and ref. |
You need the exact original query string for analytics or troubleshooting. |
| Duplicate handling | Keeps the first value, the last value, or one copy of each distinct value for the same key. | The server depends on repeated parameters and their order. |
| Unicode and percent case | Shows internationalized hostnames in readable form and can normalize Unicode text plus percent-escape letter case. | You are comparing byte-level identity rather than human readability. |
| Host and path cleanup | Lowercases the host, removes www., drops default ports, trims or preserves slashes, and resolves . or .. path segments. |
The exact visible path spelling is part of a signature or test fixture. |
| Safety toggles | Strips user info, removes default ports, and collapses repeated slashes that often make copied links harder to read. | You are auditing how the source system emitted the URL rather than cleaning it. |
scheme://userinfo@host:port/path?query#fragmentThat URI layout explains why one decoded character can change meaning so quickly. A recovered # moves the rest of the text into the fragment. A recovered & or = splits query pairs. A recovered @ can expose hidden user info before the host. RFC 3986 also warns that user info can be misleading when rendered to humans, which is why the page offers a switch to strip it entirely.
Payload Lens looks for structure after normalization, not before. If the result is a URL, it first checks common keys such as data, payload, json, q, body, and token. It then tries Base64 or base64url decoding and, when the decoded text parses cleanly, JSON parsing. If those checks fail inside the query, the page tries the whole final output as Base64 text and then as raw JSON. That order is useful because many links hide the interesting content one layer below the visible URL.
Exports follow the same final state you see on screen. Parameter Ledger and Character Audit can be copied or saved as CSV and DOCX. The detected payload can be copied or downloaded as text or JSON. The QR handoff is generated only when the final string is short enough, and the JSON export captures both the selected settings and the transformed result. The Open button appears only when the final output parses as http or https.
Everyday Use & Decision Guide:
Start with the least aggressive cleanup that answers your question. Paste the raw string, read the big output line, and check whether obvious escapes are still visible. If you still see markers like %25, %2F, or %3D, increase the decode passes one step at a time. If the result becomes nonsense or stops changing, back off. Extra decoding only helps when another encoded round is genuinely present.
The form-style plus rule deserves special care. Many query strings use + for spaces, but a plus sign can also be literal data. Enable plus-as-space when the string came from a form submission, a copied query value, or a legacy application that encodes spaces that way. Leave it off when you are checking a token, a path segment, or text where + might be meaningful.
| If your goal is | Usually turn on | Double-check before copying |
|---|---|---|
| Share a cleaner marketing or newsletter link | Tracker stripping, fragment removal, optional query sorting, lower host, remove default port | That no business-critical parameters were removed with the trackers |
| Compare two links that should resolve to the same destination | Lower host, remove www., normalize dot segments, collapse repeated slashes, trim trailing slash, percent case normalization |
Whether order-sensitive duplicate parameters still need to stay in place |
| Inspect a suspicious query value or token | Enough decode passes to reveal the text, then Payload Lens and Character Audit | Whether the payload is really JSON or only text that happens to decode cleanly |
| Prepare a link for handoff to another device | The cleanup you actually want, then QR Handoff or Copy output | That the final string is exactly the one you intend to open elsewhere |
The main tabs answer different kinds of questions. Parameter Ledger is the fastest review surface when the output is a URL. Character Audit is better when one glyph looks wrong, a non-ASCII character seems suspicious, or the result never became a URL at all. Payload Lens is the right stop when the summary shows that a payload was detected or when a query value looks too structured to be ordinary text. JSON is a record of the whole session state rather than just a pretty print of the visible result.
Think about cleanup in two groups. Some switches mostly improve comparison, such as host lowercasing, percent-case normalization, and default-port removal. Others can change what a downstream application receives, such as dropping empty parameters, picking the first or last repeated value, stripping credentials, or removing fragments. Use the second group only when the changed behavior is intentional.
Step-by-Step Guide:
- Paste the raw URL or text exactly as received. The page only starts transforming once there is input.
- Read the summary line first. Note whether the result is being treated as a URL or as a generic component string, then check the host, parameter count, payload badge, and output length.
- Increase decode passes only when you still see visible encoding that looks like another round rather than normal data. Use plus-as-space only when the source likely came from form-style encoding.
- Choose cleanup options to match the job. For sharing, tracker stripping and fragment removal are common. For comparison, host and path normalization usually matter more. For security review, user info removal and character inspection are often the next checks.
- Open the tab that matches the result. Review Parameter Ledger for surviving query pairs, Character Audit for code points and UTF-8 bytes, Payload Lens for JSON or decoded text, and JSON when you need a structured snapshot of the session.
- Copy, download, create a QR image, or use Open only after the final output is exactly the version you want to keep.
When the string is part of an authentication flow, payment link, or redirect chain, compare the cleaned version against the original one more time before forwarding it. A readable URL is easier to review, but it is still your job to decide whether the altered form is appropriate for the next system.
Interpreting Results:
URL mode means the final output still parses as a URL after decoding and cleanup. In that state, the host badge, origin and path line, parameter count, and Parameter Ledger are the fastest way to spot trouble. Component mode means the text never settled into a URL shape, so Character Audit and Payload Lens become the more reliable guides.
| Signal | What it usually means | What to verify next |
|---|---|---|
0 query params |
The URL has no query string left after cleanup, or the output is no longer a URL with query pairs. | Compare the final URL with the original input and review tracker, empty-value, and duplicate settings. |
Payload detected |
The page found text that decodes as Base64 or parses as JSON either in a common parameter or in the final output itself. | Whether the decoded content is expected business data, an opaque token, or a value you should not forward unchanged. |
Hostname changes from xn--... to readable text |
The page converted an ASCII-compatible IDN label into its Unicode form for easier review. | That the human-readable hostname is the one you intended and not a look-alike domain. |
| Output becomes shorter | Cleanup removed some visible noise such as fragments, default ports, duplicate keys, empty values, or trackers. | Whether any removed part was actually needed for the application behavior you care about. |
Open stays disabled |
The final string is not an http or https URL, even if it contains URL-like pieces. |
Whether you are really looking at a token, payload, relative path, malformed URL, or non-web scheme. |
Duplicate handling is the setting most likely to change behavior while leaving the result looking superficially reasonable. Some systems read the first occurrence of a key. Others read the last. Others keep all copies. The unique-values option removes repeated value duplicates for the same key, which is useful for cleanup but not a safe assumption about how the destination application interprets requests.
Payload detection should also be read carefully. A valid JSON preview means the bytes decode into syntactically valid JSON. It does not tell you whether the data is current, harmless, signed, or intended for that URL. A plain-text payload preview is still useful because it may reveal a redirect target, embedded message, or human-readable instructions that were hidden inside a token.
Worked Examples:
A newsletter link might arrive with a /deals path, tracking parameters such as utm_source=mail and utm_medium=email, a useful sku=42 value, and a #top fragment. If your goal is a cleaner share link, tracker stripping and fragment removal cut away the campaign noise, while Parameter Ledger confirms that sku=42 is still present. Sorting can make the cleaned version easier to compare with a second copy of the same campaign URL.
A bug report may contain a redirect target like example.com/%252Fcheckout%253Fstep%253Dreview. One decode pass only exposes %2Fcheckout%3Fstep%3Dreview. A second pass reveals the actual path and query. At that point the output switches into URL mode, so you can read the host and path line, inspect the surviving query parameter, and decide whether the redirect destination is expected.
A callback URL can also hide structured data in a parameter such as payload or token. After the main cleanup, Payload Lens may show that the value decodes as base64url and then parses as JSON. You can copy the pretty-printed payload, save it as JSON for a ticket, or keep the full session export so the chosen cleanup settings and final URL stay attached to the evidence.
FAQ:
Why did a plus sign stay as a plus?
Because plus-to-space decoding is optional. It matches form-style parsing, but a plus sign can also be literal data, so the page leaves it alone unless you choose the form-style rule.
Why did the hostname stop showing xn--?
The page converts internationalized domain labels into their readable Unicode form when it can. That helps review, but it does not prove that the domain is legitimate or free from look-alike risk.
Why are there no parameters left after cleanup?
The final result may not be a URL anymore, or the cleanup rules may have removed every surviving query pair through tracker stripping, empty-value removal, or duplicate handling. Compare the output with the original raw string before assuming data was lost by mistake.
Why is the Open button unavailable?
Open is only offered when the final result parses as http or https. Relative paths, plain text, malformed strings, and other schemes remain inspectable but are not opened.
Does local processing make the link safe?
No. Local processing means the content is handled in the browser session rather than sent to a server by this page. It does not verify ownership, reputation, signatures, or what the destination will do when opened.
Glossary:
- Percent-encoding
- A URI syntax that writes a byte as a percent sign followed by two hexadecimal digits.
- Reserved character
- A character such as
/,?,#,&, or=that can affect URL structure when it appears literally. - Query parameter
- A key-value pair carried after the question mark in a URL.
- A-label and U-label
- Two forms of an internationalized domain label: the ASCII-compatible
xn--form and the readable Unicode form. - Base64url
- A URL-safe Base64 variant that uses
-and_instead of+and/.
References:
- RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, RFC Editor, January 2005.
- WHATWG URL Standard, WHATWG.
- Unicode Standard Annex #15: Unicode Normalization Forms, Unicode Consortium.
- RFC 4648: The Base16, Base32, and Base64 Data Encodings, RFC Editor, October 2006.
- RFC 5890: Internationalized Domain Names for Applications (IDNA): Definitions and Document Framework, RFC Editor, August 2010.