URL Encoder & Decoder
Percent-encode or decode URLs and query-string values, with separate modes for a single component versus a whole URL. Live as you type, completely free, and entirely in your browser.
Encoded output
Nothing to convert yet — type or paste a value above.
What this tool does, and why the mode matters
URLs can only safely carry a limited alphabet of characters. Everything else — spaces, ampersands, non-Latin letters, emoji — must be percent-encoded, replacing the raw byte with a % followed by its hexadecimal value. This tool encodes that representation and decodes it back, in both directions, the instant you type.
The single most important choice is the scope. encodeURIComponent (Component mode) escapes everything reserved, including / : ? # & =. That is exactly what you want when you are dropping one untrusted value into a query string. encodeURI (Whole-URL mode) leaves those structural characters alone so the URL stays parseable. Feed a complete URL through the component encoder by mistake and every slash becomes %2F — a classic broken-link bug.
Everything runs locally with the browser's native URI functions, so there are no network requests. That privacy matters more than it first appears: query strings routinely carry signed tokens, session identifiers, OAuth state, and internal hostnames. Because nothing leaves your machine, you can safely decode a suspicious callback URL to see what it actually contains. We build that same defensive instinct into the software and security work we ship — see our cybersecurity services.
The other trap is double-encoding. If a value is already encoded and you encode it again, %20 turns into %2520 and the link silently breaks. The safe habit is to decode first, confirm you see the human-readable string, then encode exactly once. Use the “Use output as input” button to round-trip a value and verify it survives the trip unchanged.
How to use it
Choose Encode or Decode, then pick a scope — Component for a single value, or Whole URL for a full address. Type or paste your text and the result updates live. If a decode fails because of a malformed escape, you will see the exact error rather than a garbled string. Copy the output with one click, or send it straight back through with “Use output as input” to confirm a clean round-trip. Nothing is stored; a refresh clears everything.
FAQs
What is the difference between component and whole-URL mode?
Component mode uses encodeURIComponent / decodeURIComponent, which escapes every reserved character including the slash, colon, question mark, ampersand, and hash. Use it when you are encoding a single value that will live inside a URL — a query-string value, a path segment, or a fragment. Whole-URL mode uses encodeURI / decodeURI, which deliberately leaves the structural characters (: / ? # [ ] @ & =) intact so the overall URL stays well-formed. Picking the wrong one is the most common URL bug we see: encode a full URL with encodeURIComponent and the slashes turn into %2F, breaking the link.
Is my input sent to a server?
No. Encoding and decoding run entirely in your browser using the native encodeURIComponent, decodeURIComponent, encodeURI, and decodeURI functions. Nothing is uploaded, logged, or stored, and you can confirm that by checking your browser's network tab while you type — there are zero requests. That makes it safe for URLs that contain access tokens, signed query parameters, or internal hostnames you would not want to paste into a remote service.
Why does decoding sometimes throw an error?
The decode functions throw a URIError when they hit a malformed percent-escape — for example a lone % sign, or a multi-byte UTF-8 sequence such as %E0 that is missing its trailing bytes. When that happens this tool surfaces the error instead of returning a half-mangled string. The fix is almost always to re-encode the value correctly at the source, or to confirm you are decoding something that was actually percent-encoded in the first place.
How are spaces and plus signs handled?
These functions encode a space as %20, which is correct for path segments and modern query strings. The legacy application/x-www-form-urlencoded format used by HTML form posts encodes a space as a plus sign (+) instead, and treats a literal plus as %2B. If you are round-tripping classic form data, be aware that decodeURIComponent will not turn a + back into a space — that conversion belongs to form decoding, not URI decoding.
Does encoding change the meaning of my URL?
Correct encoding never changes meaning — it only makes the URL safe to transmit by escaping characters that would otherwise be ambiguous or illegal. A correctly encoded URL decodes back to exactly the original. The danger is double-encoding: if you run an already-encoded string through the encoder again, %20 becomes %2520 and the link silently breaks. When in doubt, decode first, confirm you see the human-readable form, then encode once.
Related tools
Related engineering reading
All postsAdding AI Features to Your SaaS (2026)
Where AI helps, build-vs-API trade-offs, evals, guardrails, and shipping without torching margins.
Read postAPI Rate Limiting Strategies for 2026
Token bucket vs sliding window, per-key quotas, 429 semantics, and where to enforce limits.
Read postAPI Security Best Practices (2026)
Auth, rate limiting, input validation, secrets, and the OWASP API Top 10.
Read post
Fighting URLs that break in production?
Encoding bugs, double-escaped redirects, and leaky query parameters are symptoms of integration code that was never designed carefully. We build APIs and web apps with correct encoding, signed URLs, and predictable routing baked in. Talk to us about integration work or a security review.
Or reach us directly: beltz@quantlabusa.dev