URL encoding (a.k.a. percent-encoding, defined by RFC 3986) is how the web safely embeds arbitrary characters in URLs, query strings, and form-encoded request bodies. Spaces become %20 (or + in query strings), reserved characters like ?, &, and # get encoded when they appear inside a value, and non-ASCII characters are first encoded as UTF-8 then percent-escaped. This URL encoder/decoder uses the browser's native encodeURIComponent() and decodeURIComponent(), which match the WHATWG URL spec.
How URL Encoding Works
URL encoding replaces unsafe characters with %XX where XX is the two-digit hexadecimal byte value. Reserved characters that have special meaning in URLs (: / ? # [ ] @ ! $ & ' ( ) * + , ; =) are encoded when they appear inside a path segment or query value. Unreserved characters (A-Z a-z 0-9 - _ . ~) are always passed through unchanged. For non-ASCII text, the string is first encoded to UTF-8 bytes, then each byte is percent-escaped.
When to URL-Encode
- Query string parameters —
?q=hello%20world&tag=foo%2Bbar. - Path segments — user-generated slugs containing slashes, spaces, or special chars.
- Form submissions —
application/x-www-form-urlencoded request bodies. - OAuth flows — redirect URIs and state parameters must be properly encoded.
- Webhook URLs — encoding arbitrary IDs or tokens into callback URLs.
- Debugging — seeing
%2F in a URL? Decode it to see the actual value.
URL Encoding in Code
// JavaScript
const encoded = encodeURIComponent('hello world&foo=bar');
// => "hello%20world%26foo%3Dbar"
const decoded = decodeURIComponent('hello%20world');
// => "hello world"
// Python
from urllib.parse import quote, unquote
quote('hello world&foo=bar') // => 'hello%20world%26foo%3Dbar'
// Shell (with python or jq)
python -c "import sys,urllib.parse; print(urllib.parse.quote(sys.stdin.read()))"
encodeURI vs. encodeURIComponent
JavaScript has two URL encoding functions: encodeURI() preserves reserved URI characters (: / ? # & =), so it's safe for encoding an entire URL; encodeURIComponent() encodes everything except unreserved characters, so it's safe for encoding a single query value or path segment. This tool uses encodeURIComponent because that's what you almost always want. For application/x-www-form-urlencoded bodies, spaces are encoded as + instead of %20 — use URLSearchParams for that case.