Free URL encoder and decoder

Percent-encode or decode any text, and pick the encoding that matches what you are actually building: a single query value, a whole URL, or a form body where a space is a plus sign. Paste a full URL and read its query parameters decoded. Everything runs in your browser, so the token in that URL stays with you.

Encoding
  • ComponentencodeURIComponent. Escapes the reserved characters as well, so / ? & = # + become %2F %3F %26 %3D %23 %2B. Use it on one query value or one path segment.
  • Full URIencodeURI. Leaves the characters that hold a URL together (: / ? & = # @) untouched and escapes only spaces and other unsafe bytes. Use it on a whole URL.
  • Formapplication/x-www-form-urlencoded. Same as component, except a space becomes + instead of %20. This is what an HTML form posts and what URLSearchParams writes.
54 characters
76 characters

Copied to clipboard

How the URL encoder and decoder works

1

Pick a direction and an encoding

Encode or decode, then choose component encoding for one value, full URI encoding for a whole URL, or form encoding when a space has to become a plus sign.

2

Convert on your device

The conversion happens in the page as you type, using the same JavaScript functions your own code would call. A broken percent escape is flagged with the character it starts at.

3

Copy it, or take a URL apart

Copy the result with one click, or paste a whole URL into the parser to see its scheme, host, path, and each query parameter decoded.

Private by design: nothing leaves your browser

The URLs people need to decode are rarely boring ones. They carry API keys, session tokens, password-reset links, signed download links, and internal hostnames. Pasting one of those into a site that posts it to a backend gives the URL away, so this tool never sends it anywhere:

01

100% client-side

Encoding and decoding use encodeURIComponent, encodeURI, and decodeURIComponent, which are built into your browser. Parsing uses the native URL object. No network request is made while you type.

02

Nothing stored or logged

There is no account and no history. What you paste lives in the page's memory and is gone when you reload, so a signed link you decoded here is not sitting in anyone's access log.

03

The same functions your code calls

The result matches what your own runtime produces, because it comes from the same functions. Form mode follows the WHATWG urlencoded serializer, which is what URLSearchParams and an HTML form both use.

Which encoding to pick

  1. Component encoding for a single value you are dropping into a URL. It escapes / ? & = #, so a value containing a slash cannot break out and become part of the path.
  2. Full URI encoding when you already hold a complete URL and only want to clean up spaces and other unsafe characters. It leaves the structural characters alone.
  3. Form encoding for a request body sent as application/x-www-form-urlencoded, and for query strings written by URLSearchParams. A space becomes + rather than %20.
  4. When you decode, use the mode the value was written with. Decoding a form-encoded value in component mode turns every space back into a literal plus sign, which is a common way a search query comes back wrong.

Built for developers and technical teams

Anyone who has to read a URL that a machine wrote. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.

Developers

Work out why a query parameter arrived double-encoded, or build a redirect URL that survives being nested inside another one.

Security & IT teams

Decode an obfuscated link from a phishing report or a proxy log to see where it really points, without handing the URL to a third-party site while you do it.

Marketing & analytics

Read the UTM parameters on a campaign link and find the stray space that broke attribution.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.

More free privacy tools

Browse all privacy tools

These tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.

Frequently asked questions

Is this URL encoder and decoder free?

Yes, completely free, with no sign-up and no limit on how much text you convert. There is no paid tier of this tool to upgrade to.

Does anything I paste get sent to a server?

No. Encoding, decoding, and URL parsing all run in your browser as plain JavaScript. The page makes no network request when you type, so there is nothing to log or store. That matters because URLs routinely carry API keys, session tokens, password-reset links, and signed download links, and pasting one into a server-side decoder hands it over.

What is percent encoding?

Percent encoding is how a URL carries characters it cannot hold literally. Each unsafe byte is written as a % followed by two hex digits, so a space becomes %20 and a slash becomes %2F. It is defined in RFC 3986, and it is why URLs are full of %-sequences.

What is the difference between encodeURIComponent and encodeURI?

encodeURIComponent escapes the reserved characters, encodeURI does not. Reserved characters are the ones that give a URL its structure: : / ? # [ ] @ & = + $ , and a few others. If you run encodeURI on a value that contains a slash or an ampersand, those characters stay literal and become part of the URL structure, which is how a value silently turns into an extra query parameter. Use encodeURIComponent on any single value you drop into a URL, and encodeURI only when you already hold a complete URL and just want to clean up spaces.

When should I use form encoding, where a space becomes a plus?

Use it for anything that behaves like an HTML form submission, which includes a request body sent as application/x-www-form-urlencoded and, in practice, most query strings. In that format a space is written as + rather than %20. A decoder that does not know the difference reads that + as a literal plus sign, which is one of the more common ways a search query comes back wrong.

Why does my text fail to decode with a malformed escape error?

A % in a percent-encoded string must be followed by exactly two hex digits. If the input contains a bare % (a literal percent sign that was never encoded as %25) or something like %2G, the decoder cannot read it and throws. This tool tells you the position of the first bad sequence. The other cause is a valid-looking escape that decodes to an invalid UTF-8 byte, which usually means the text was cut in half somewhere.

Can I decode only the query string of a URL?

Yes. Switch to the Parse a URL tab and paste the whole URL in. It splits the URL with the browser's native URL parser and lists every query parameter with its raw value next to its decoded value, so you can see exactly which parameter is double-encoded.

Can I use this offline?

Yes. Once the page has loaded you can disconnect from the internet and keep encoding, decoding, and parsing, because none of it depends on a server.

Do you store what I paste in?

No. Encoding, decoding, and URL parsing all run with the browser's own APIs, so nothing you paste is sent to or kept on a server. It disappears when you reload the page.

How is this different from a paid URL encoder?

The encoding itself is a standard (percent-encoding), so the output is identical everywhere. This one runs client-side with no account and no request cap, where a paid or ad-supported tool typically round-trips your input through a server first.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.