How to Encode and Decode URLs Online for Free (And Why It Matters)

What URL encoding is

URLs are restricted to a small set of safe characters: letters (A–Z, a–z), digits (0–9), and a few symbols (- _ . ~). Every other character must be "percent-encoded" — replaced with a % sign followed by the two-character hexadecimal ASCII code.

Common examples:

• Space → %20
• & → %26
• = → %3D
• ? → %3F
• / → %2F
• # → %23
• + → %2B

So a search query like hello world & more becomeshello%20world%20%26%20more when placed inside a URL parameter.

Encode and decode URLs free

Use the free URL encoder and decoder — paste any string to encode it for safe URL use, or paste an encoded URL to decode it back to readable form. No account, no upload.

When you need URL encoding

Query parameters

The most common case. When building a URL with user-supplied input in a query parameter, the value must be encoded:

https://example.com/search?q=hello world

becomes:

https://example.com/search?q=hello%20world

In most programming languages, the built-in URL or HTTP library handles this automatically. Problems arise when developers concatenate strings manually instead of using URL-building functions.

Internationalized domain names and paths

Non-ASCII characters in paths (accented letters, Cyrillic, Arabic, Chinese) must be encoded. A French URL likehttps://example.fr/catégorie becomeshttps://example.fr/cat%C3%A9gorie.

Decoding encoded URLs you receive

Encoded URLs from API responses, logs, or redirect parameters are hard to read at a glance. Paste them into the URL decoder to see the human-readable version.

Encoding vs encoding for forms (+)

There are two standards:

• RFC 3986 (standard URL encoding): encodes spaces as %20. Used in URLs, HTTP headers, most modern APIs.
• application/x-www-form-urlencoded: encodes spaces as +. Used in HTML form submissions (POST body). This is why some encoded URLs have + instead of %20 in form data.

When in doubt, use %20 — it is unambiguous and correct in all contexts. Use + only in form data where the server expects form encoding.

Security: why encoding matters

Failing to encode user input before inserting it into a URL is a source of security vulnerabilities. If a user types &admin=true and it is inserted raw into a query string, it could add an unintended parameter to the request.

Always use your language's URL-building library rather than string concatenation:

• JavaScript: new URL() + searchParams.set(), or encodeURIComponent()
• Python: urllib.parse.urlencode()
• PHP: urlencode() or http_build_query()

Summary

URL encoding converts special characters to percent-encoded form so they can travel safely in URLs. Encode and decode any string with the free URL encoder. UseencodeURIComponent() in code when building URLs with user input. Spaces encode as %20 in standard URLs and + in form data.