Encode text for safe use in URLs. Converts special characters to percent-encoded format. Essential for building URLs, API parameters, and query strings.
%20), or URL Query Encode to apply application/x-www-form-urlencoded rules used by HTML forms (spaces become +).%XX sequences in your input weren't double-escaped β if they were, decode first with the URL Decoder.For other text transforms, see Base64 Encoder, HTML Entity Encoder, or the JSON Formatter.
URL encoding (also called percent-encoding) is defined by RFC 3986. It replaces any character that isn't part of the "unreserved" set with a % followed by the character's UTF-8 byte value in two hexadecimal digits. A space becomes %20. An ampersand becomes %26. The euro sign β¬ is three UTF-8 bytes (0xE2 0x82 0xAC) and encodes as %E2%82%AC. Encoding is necessary because the URL syntax itself reserves a handful of characters as delimiters β ? separates the path from the query, & separates parameters, # starts the fragment β so any payload character that collides with those delimiters must be escaped or it will be misparsed.
You'll reach for URL encoding in scenarios like these:
price > $100 & color = red must become price%20%3E%20%24100%20%26%20color%20%3D%20red, otherwise the & will be read as a parameter separator and break the call.? and &, the share endpoint mis-attributes them to itself.+, /, and = which all have URL meaning. Either percent-encode them or switch to base64url (RFC 4648 Β§5), which substitutes - and _.Γ©, Γ±, ΓΌ) must be UTF-8 encoded before percent-encoding for universal browser and server compatibility.+, =, /, \, ^, |, and {} either reserve URL meaning or are flagged as unsafe.These two character classes are the foundation of percent-encoding. Unreserved characters never need encoding; reserved characters only need encoding when they appear inside a component (not as a delimiter).
| Class | Characters | Encoded? |
|---|---|---|
| Unreserved | A-Z a-z 0-9 - _ . ~ |
Never |
| Gen-delims | : / ? # [ ] @ |
Inside a component only |
| Sub-delims | ! $ & ' ( ) * + , ; = |
Inside a component only |
| Other (unsafe / non-ASCII) | space, < > { } \ ^ ` " , control chars, Unicode |
Always |
| Character | Percent-encoded | Form-encoded | Notes |
|---|---|---|---|
| space | %20 |
+ |
Form mode (application/x-www-form-urlencoded) uses + for space |
+ |
%2B |
%2B |
Always encode in queries β bare + is read as a space |
& |
%26 |
%26 |
Parameter separator |
= |
%3D |
%3D |
Key/value separator |
? |
%3F |
%3F |
Query starter |
# |
%23 |
%23 |
Fragment starter |
/ |
%2F |
%2F |
Path separator |
% |
%25 |
%25 |
The escape character itself |
Γ© |
%C3%A9 |
%C3%A9 |
Two UTF-8 bytes |
β¬ |
%E2%82%AC |
%E2%82%AC |
Three UTF-8 bytes |
| π | %F0%9F%9A%80 |
%F0%9F%9A%80 |
Four UTF-8 bytes |
encodeURI vs encodeURIComponent vs URLSearchParamsThe three built-in encoders behave differently. Picking the wrong one is the most common source of double-encoded or broken URLs.
| Function | Preserves (does NOT encode) | Encodes spaces as | Use it for |
|---|---|---|---|
encodeURI |
URI syntax: : / ? # & = + plus unreserved |
%20 |
A complete URL when you want path/query structure preserved |
encodeURIComponent |
Only A-Z a-z 0-9 - _ . ! ~ * ' ( ) |
%20 |
A single path segment, query value, or fragment value |
URLSearchParams / FormData |
Same as RFC 3986 unreserved | + |
Building application/x-www-form-urlencoded request bodies or query strings |
In practice: use encodeURIComponent for every value you stitch into a URL, and use URLSearchParams when you're building a query string for fetch. Per MDN's encodeURIComponent reference, encodeURIComponent does not escape !, ~, *, ', (, ), which are sub-delims that RFC 3986 reserves β wrap it (encodeURIComponent(s).replace(/[!'()*]/g, c => '%' + c.charCodeAt(0).toString(16).toUpperCase())) if you need strict RFC 3986 conformance.
%20 and sometimes +?Two different specs are at play. RFC 3986 percent-encoding (the one URLs use generally) encodes space as %20. The older application/x-www-form-urlencoded rule (used by HTML form GET submissions and URLSearchParams) encodes space as +. Both decode back to a space when parsed correctly, but they aren't interchangeable: if you send + to a server that expects strict RFC 3986, the + is interpreted as a literal plus. Use URL Encode (Default) for path segments and arbitrary URI components, and URL Query Encode when you're matching form behavior. As a rule, search engines and modern frameworks accept both inside the query string, but only %20 inside the path.
+ even when the user typed a real plus sign?Yes β + is one of the RFC 3986 sub-delims. In a query string parsed as form-encoded, an unencoded + is read as a space. The classic bug is searching for "C++" and getting back results for "C " because the two pluses became two spaces. Always emit %2B when you mean a literal plus.
Yes. The encoder operates on UTF-8 bytes, so a Japanese character like ζ₯ (three UTF-8 bytes 0xE6 0x97 0xA5) encodes as %E6%97%A5, and a four-byte emoji like π encodes as %F0%9F%9A%80. UTF-8 is the encoding the W3C recommends and that all modern browsers use for URL inputs.
No β that produces double encoding, where %20 becomes %2520 (the % itself is re-encoded as %25). Before encoding, check whether the input already contains %XX sequences. If it does, decode it first (use URL Decoder) or treat it as already-encoded and pass it through untouched.
They encode by their byte value: newline (LF) is %0A, carriage return (CR) is %0D, a CRLF pair is %0D%0A, and a tab is %09. Most servers reject control characters in the path, but they're valid in POST bodies sent as x-www-form-urlencoded.
No. The encoder runs entirely in your browser via JavaScript β your input never leaves the tab. That makes it safe to use on internal URLs, API keys, JWTs, or any other sensitive material. If you need to encode a token, also see Base64 Encoder and JWT Decoder.
Yes. Paste a list with line breaks and the entire block is encoded as one string (newlines become %0A). If you need each line encoded independently, encode them one at a time, or split, encode, and rejoin in code.
The RFC 3986 unreserved set: ASCII letters A-Z and a-z, digits 0-9, and the four punctuation marks -, _, ., ~. Everything else either has reserved URL meaning or sits outside the safe ASCII range and must be percent-encoded somewhere in the URL.
https://example.com/ keep the slashes but encoding example.com/path may not?It depends on which JavaScript function you used. encodeURI is designed to encode a full URL and preserves :, /, ?, #, and a few others so the URL structure survives. encodeURIComponent is designed for a single component (one parameter value) and aggressively escapes /, :, ? and so on into %2F, %3A, %3F. This tool's URL Encode (Default) mode follows the strict per-character RFC 3986 rules β pick whichever mode matches the role of the string you're encoding.