Zutily

URL Encoder / Decoder

Encode or decode URLs and query strings with percent-encoding. Three encoding modes, a visual query string builder, full Unicode support, instant swap — free and 100% private.

Share this tool

100% FreePrivacy FirstInstant ResultsNo Sign-Up
Method:
Raw Text / URL
0 chars

Paste a URL or text to percent-encode it

Encoded Output

Output appears here automatically

How Percent-Encoding Works

Every URL you see in a browser address bar follows the RFC 3986 specification, which defines a strict set of allowed characters. Letters, digits, and a handful of symbols (- _ . ~) are “unreserved” and can appear as-is. Everything else — spaces, ampersands, question marks, Unicode characters, emoji — must be percent-encoded: converted to their UTF-8 byte values and prefixed with %.

For example, a space becomes %20, an ampersand becomes %26, and the emoji ☕ becomes %E2%98%95 (three UTF-8 bytes). Without proper encoding, browsers and servers misinterpret special characters — breaking links, corrupting query parameters, and opening the door to injection vulnerabilities like cross-site scripting (XSS) and HTTP parameter pollution.

Encoding Methods Compared

MethodEncodesPreservesUse When
encodeURIComponentAll except A-Za-z0-9 - _ . ! ~ * ' ( )Nothing elseQuery parameter values, path segments
encodeURISpaces, non-ASCII chars: / ? # [ ] @ ! $ & ' ( ) * + , ; =Full URLs that should remain navigable
Query String (+)Same as encodeURIComponentSpaces encoded as + instead of %20HTML form submissions, legacy APIs

Common mistake: using encodeURI on a query parameter value. Since it preserves & and =, a value like price=10&discount=5 would be interpreted as two separate parameters instead of one value. Always use encodeURIComponent for individual values.

Anatomy of a URL: What Gets Encoded Where

https://api.example.com/users/café?name=José&city=São Paulo#résumé

Protocol

https://

Never encoded

Host / Domain

api.example.com

Punycode for internationalized domains (IDN)

Path Segments

/users/café → /users/caf%C3%A9

Use encodeURIComponent per segment

Query String

?name=Jos%C3%A9&city=S%C3%A3o+Paulo

Encode each key and value separately

Where URL Encoding Is Critical

  • REST API Query Parameters

    API filters, pagination tokens, and search queries must be percent-encoded to prevent parameter injection and ensure servers parse them correctly.

  • OAuth & Redirect URIs

    OAuth 2.0 flows require the redirect_uri to be fully encoded. A single unescaped character can cause authentication failures or open redirect vulnerabilities.

  • UTM Tracking & Analytics

    Marketing UTM parameters (utm_source, utm_campaign) often contain spaces and special characters. Proper encoding ensures analytics platforms attribute traffic accurately.

  • Deep Links & Mobile Apps

    iOS Universal Links and Android App Links pass data through URL parameters. Encoding ensures deep link payloads survive parsing across different OS URL handlers.

  • Webhook Payloads & Callbacks

    Payment gateways (Stripe, PayPal) and notification services send callback URLs with signed query parameters that must be encoded to preserve HMAC integrity.

  • Internationalized URLs (IRIs)

    Non-Latin domain names and paths (Arabic, Chinese, Cyrillic) require proper UTF-8 percent-encoding to conform to RFC 3987 and work across all browsers.

Frequently Asked Questions

Quick answers to common questions

URL encoding, also known as percent-encoding, replaces unsafe or reserved characters in a URL with a percent sign (%) followed by two hexadecimal digits. For example, a space becomes %20 and an ampersand (&) becomes %26. This ensures URLs are valid and can be transmitted correctly across the internet.
encodeURIComponent encodes ALL special characters including :, /, ?, #, and &. Use it for encoding individual query parameter values. encodeURI encodes spaces and non-ASCII characters but preserves URL structure characters like /, ?, and #. Use it when encoding an entire URL that should remain navigable.
The Query encoding method replaces spaces with + instead of %20. This is the standard format used by HTML form submissions (application/x-www-form-urlencoded). Use it when building query strings for web forms or APIs that expect plus-sign space encoding.
Yes. Our URL encoder fully supports Unicode characters including emoji, accented letters, Chinese, Japanese, Korean, Arabic, and all other scripts. Characters are first encoded as UTF-8 bytes and then percent-encoded, following the RFC 3986 standard.
Absolutely. All encoding and decoding happens entirely in your browser using JavaScript's built-in encodeURIComponent, encodeURI, and their decode counterparts. No data is ever sent to a server, stored, or logged. Your input stays completely private.
A query string is the part of a URL after the ? that contains key-value parameters (e.g., ?name=John&age=25). Our query string builder lets you add, remove, and edit parameters visually, and it auto-generates the properly encoded URL so you don't have to worry about manual encoding.
Yes. In the Query String Builder tab, paste any URL into the 'Parse an existing URL' field and click Parse. The tool will extract the base URL and all query parameters into editable fields, letting you modify and rebuild the URL easily.
Using encodeURIComponent, all characters except A-Z, a-z, 0-9, -, _, ., !, ~, *, ', (, and ) are encoded. This includes reserved URL characters like ?, &, =, /, #, +, and @, as well as spaces and all non-ASCII characters.
Switch to Decode mode and paste the encoded string. The tool will automatically convert %20 back to a space, %3D back to =, and all other percent-encoded sequences back to their original characters. It supports the full range of UTF-8 encoded characters.
Yes, Zutily's URL Encoder / Decoder is 100% free to use with no limits, no signup, and no ads. It runs entirely in your browser for maximum speed and privacy.

Disclaimer

This tool is provided “as is” for informational and utility purposes only. While we strive for accuracy, Zutily makes no warranties regarding the completeness, reliability, or suitability of the output for any specific purpose. All processing is stateless — we do not store, log, or share any data you enter. Use the results at your own discretion. For security-critical applications, always verify outputs independently.

Found this tool helpful?

Share it with your friends and colleagues