Encode

URL Encoder and Decoder

Paste a single parameter value, a full URL, or a query string such as a=1&b=hello world. The tool chooses the right percent-encoding behavior for the context. Text values are treated as one parameter value, full URLs keep their protocol, path, query, and fragment structure, and Query mode handles each parameter separately. Form mode supports the older convention where plus means space, strict decode is useful for API validation, and tolerant decode helps inspect damaged logs. Everything runs in your browser, so callback URLs, OAuth state, JWT parameters, and private data are not uploaded.

  • Separate targets for parameter values, full URLs, and Query parameters help avoid encoding structural characters by mistake
  • Query mode can process both keys and values, or values only, to match different backend contracts
  • Form mode handles the plus-space convention used by application/x-www-form-urlencoded data
  • Strict decode reports malformed percent-encoding immediately, while tolerant decode tries to recover readable text
  • Samples cover full URLs, form-style Query strings, Chinese text, and Emoji before you paste real data
  • Local-only processing keeps callback URLs, signed parameters, webhook content, and private fields in the browser
tools/URL Encoder and Decoder
Waiting for input
Result will appear here...
Encode · Text or value

Text or value mode treats the whole input as one value, so question marks, ampersands, and equals signs are encoded as content.

URL commands

Overview

URL encoding problems usually come from applying the wrong rule to the wrong context, not from the characters themselves. This page first distinguishes between a parameter value, a full URL, and a Query string, then uses the matching behavior.

  1. 01

    Three processing targets

    Text or value mode encodes the whole input as one value. Full URL mode keeps the protocol, host, path, query, and fragment structure. Query mode processes each parameter separately. Choosing the right target is what keeps the result stable.

  2. 02

    Query mode can process values only

    In Query mode, you can process both keys and values, or keep keys unchanged and process values only. This is useful when a server expects literal key names but URL-safe values.

  3. 03

    Full URL preserves structure

    When you paste an already assembled URL, the tool changes only the parts that need encoding. Protocol, host, path separators, query separators, and fragments remain intact.

  4. 04

    Form-space mode

    You can switch between standard percent-encoding and the form submission convention. Standard percent-encoding represents spaces with percent encoding, while form data uses plus signs. The toggle is hidden in Full URL mode to avoid damaging URL structure.

  5. 05

    Strict and tolerant decode

    Strict decode fails on isolated percent signs or incomplete bytes, which makes it useful for protocol validation. Tolerant decode repairs common damaged fragments first and then tries to return readable text for log inspection.

  6. 06

    Round-trip verification

    After encoding, you can place the result back into the input and decode it again. This quickly confirms whether the content can be restored across the selected modes.

  7. 07

    Inline validation status

    The output header shows a success state when conversion works, and an error state when the input format is invalid. This helps distinguish damaged data from tool behavior.

  8. 08

    Local-only processing

    Encoding, decoding, copy, and round-trip verification all run inside your browser tab. Callback URLs, OAuth state, signed links, JWT parameters, customer search terms, and private fields never leave the device.

How to use

Five short steps. Any change to a control recalculates the output immediately.

  1. 01

    Choose Encode or Decode in the conversion mode control.

  2. 02

    Choose the processing target: a single text value, an already assembled full URL, or a set of Query parameters.

  3. 03

    If you are processing Query parameters, choose whether to process both keys and values or values only. When decoding, choose strict mode or tolerant mode.

  4. 04

    If the data comes from an HTML form submission, or from an older system where plus means space, turn on form mode. This option is hidden automatically in Full URL mode.

  5. 05

    When the output status shows Encoded or Decoded, copy the result. To verify it, use the output as input and run the opposite conversion.

Details

The same character can be content in one place, and a separator or structural marker in another. The processing target tells the encoder how to interpret it.

  • Use Text or value for a single parameter value, search keyword, filter, or slug. Question marks, ampersands, and equals signs are encoded as content, so they cannot accidentally split the URL.
  • Use Full URL when the input is an already-assembled URL and you just need to handle spaces or Unicode inside it. Protocol, host, path separators, query separators, and fragment markers stay valid.
  • Use Query parameters when you have a raw Query fragment. Each item is handled independently, and you can choose whether keys stay unchanged.
  • Turn on form mode only for HTML form posts, older callbacks, or any system where plus means space. General URL parameters usually do not need it.
  • Use tolerant decode when inspecting truncated, copied, or partially encoded logs. It gives you readable text first so you can decide what to do next.
  • Use strict decode for protocol validation, API contract tests, or any flow where invalid content should fail immediately.

Use cases

These are recurring engineering tasks. The same workflow of choosing a mode, pasting content, and copying the result covers all of them.

  1. OAuth callback URL and state

    Encode a full callback URL with nested parameters before placing it in an authorization link, or decode the state value from a callback to inspect what the client sent.

  2. Search and filter query parameters

    Encode user-entered search terms, multi-select filters, pagination cursors, and multilingual tags before adding them to a query string.

  3. API request URL composition

    Compose a REST URL by encoding path segments (slugs, IDs, dates) and parameter values separately so they reach the server uncorrupted.

  4. Webhook signature inspection

    Decode signature, state, or nonce parameters captured from logs to reconstruct what a partner actually sent.

  5. UTM and tracking link cleanup

    Decode multi-layer tracking links made of ad redirects, short links, and landing pages to read each layer of UTM fields for attribution, archiving, or troubleshooting.

  6. Form post troubleshooting

    Copy form content from browser developer tools, API gateway logs, or backend access logs, then decode it to see what the user actually submitted.

  7. CJK and emoji parameter handling

    Encode Chinese, English, Japanese, Korean, and Emoji parameters consistently, reducing differences between browsers, proxies, and frameworks.

  8. Double-encoding rescue

    When a log contains text that appears to be encoded more than once, decode it layer by layer until the original value is visible.

  9. Sharing pre-filled URLs

    Build pre-filled email links, Google Forms, Slack deep links, or marketing share URLs by encoding the message and parameters before joining them into the URL.

  10. JWT and SAML callback inspection

    Decode URL parameters inside JWT or SAML callbacks first, then pass the result to the matching inspection tool for deeper analysis.

See also

When the value carried by a URL is wrapped in Base64, such as credentials, opaque tokens, or inline images, round-trip it through Base64 Encoder and Decoder first. If the value will be rendered as page text, an HTML attribute, or email source, check the entity boundary with HTML Encoder and Decoder . For Bearer tokens and three-segment JWTs embedded in callback URLs, open JWT Inspector to inspect the header, claims, and signature. When the task grows from one parameter to a full URL with host, path, Query items, and fragment, pair this page with URL Tools .

Best practices

Most URL issues come from reading the context incorrectly, not from the encoding rule itself. These habits keep the result predictable.

  • Before changing anything, decide what the input is: one value, a full URL, or a raw Query string. That choice determines the rule.
  • Use Text or value mode for a single value, and Full URL mode for an already assembled URL. Do not mix the two contexts.
  • When the input already contains percent-encoded text, decode it first to inspect the original value before encoding again. Otherwise it is easy to create double encoding.
  • Use form mode only when both sides explicitly follow form submission rules. General URL parameters and most APIs usually use standard percent-encoding for spaces.
  • For dirty real-world logs (truncated lines, half-bytes, copy-paste mangling), start with Tolerant decode. Once the value looks readable, switch to Strict and re-decode the clean version to confirm.
  • Document the team contract for spaces, Unicode, array parameters, and callback URL rules. Frontend, mobile, and backend code drifting apart on these details is a common source of production URL issues.
  • URL encoding is a transport format, not a security mechanism. XSS prevention, token protection, and signature validation each need their own security treatment.
  • Before shipping, run a round-trip check: encode first, use the output as input, decode it, and confirm the original value returns.

Limitations

Clear boundaries prevent misuse and help you decide when another tool is a better fit.

  • This is an encoding tool, not an encryption tool. Percent-encoding does not hide content, hash values, or provide security guarantees.
  • Tolerant decode is heuristic recovery. It can repair common isolated percent signs, but it cannot recover every damaged UTF-8 sequence.
  • The tool does not automatically decide whether text is double-encoded. Whether to decode once or multiple times still depends on business context.
  • Query mode assumes standard ampersand and equals separators. If your framework uses semicolons, nested parameters, or custom delimiters, confirm the rules manually first.
  • Form mode handles only the plus-space difference. It does not simulate full form serialization, files, arrays, or nested objects.
  • The page handles strings, not files. For uploading file content as percent-encoded data, use a dedicated tool.
  • The underlying behavior uses the browser’s native URL encoding and decoding capabilities. Some legacy systems use different reserved-character sets, so results may differ there.

FAQ

Practical answers about processing modes, form-style spaces, double encoding, privacy, and how URL encoding differs from other escaping mechanisms.

What is percent-encoding?

Percent-encoding converts bytes that cannot appear directly in a URL into a percent sign followed by two hexadecimal digits. It is a format convention that lets URLs carry spaces, Unicode, and reserved characters while remaining parseable.

What is the difference between value encoding and full URL encoding?

Value encoding treats question marks, ampersands, equals signs, slashes, and hash signs as content. Full URL encoding preserves those structural characters so the result remains a parseable URL. This tool separates those cases through processing targets.

When does plus mean space?

Only in HTML form submissions and Query strings that follow that older convention. Turn on form mode for those cases. In other URL contexts, plus is just a literal plus sign.

Why does a URL look double-encoded?

A common cause is that a string that was already encoded has been encoded again. Decode it layer by layer according to the business flow until the original value is visible.

When should I use strict or tolerant decode?

Use strict mode for protocol validation and API contract tests, where invalid input should fail immediately. Use tolerant mode for log inspection and incident analysis, where you first need readable text from partially damaged content.

Does URL encoding prevent XSS?

No. URL encoding only makes a string fit inside a URL. XSS prevention requires output encoding for the final rendering context, such as HTML, JavaScript, or attribute contexts.

Why is the form toggle hidden in Full URL mode?

Because plus signs are valid characters in URL paths, queries, and fragments. Rewriting spaces as plus signs across a full URL can damage parts outside the query. The toggle only applies to value and Query contexts where the form convention is meaningful.

How does Query mode handle a URL with a question mark?

If the input can be recognized as a full URL, Query mode only processes the query portion and then rebuilds the URL. Protocol, host, path, and fragment remain unchanged.

Does any of my data leave the browser?

No. Encoding, decoding, validation, copying, and round-trip checks all run inside the current browser tab. Callback URLs, OAuth state, JWT URLs, and other private content are not uploaded.

How big a URL can I paste?

A few thousand characters comfortably; tens of thousands works but feels slower. For multi-MB Data URLs or very large encoded strings, prefer a streaming or file-aware tool.

Does the page support IDN domains?

When the browser runtime supports it, the native URL parser handles IDN domains. For dedicated Punycode and Unicode hostname conversion, use a specialized IDN tool. This page focuses on path, query, and value encoding.

Why does a URL work in the browser address bar but fail in curl or Postman?

The browser address bar often tolerates raw spaces and Unicode, then applies encoding for you. curl and Postman are closer to sending bytes exactly as provided. Encode explicitly before sending URLs from code or API tools.

Related tools

Continue across the encode category: round-trip auth headers and tokens through Base64, inspect JWTs inside callback URLs, or switch between QR codes and barcodes.