#01
What Is URL Percent-Encoding?
URL percent-encoding is defined in RFC 3986. The URL specification only allows letters, digits and a small set of punctuation marks to appear literally; every other character must be "escaped" as a percent sign % followed by two hexadecimal digits.
For example, the characters "土豆" are encoded as %E5%9C%9F%E8%B1%86, and a space " " is encoded as %20 (or, for legacy form encoding, as +). The purpose is to allow arbitrary information to be transmitted reliably across ASCII-only networks.
To use our tool, just paste or type text into the input, select "Encode" or "Decode", then click "Execute" to convert.
#02
encodeURI vs encodeURIComponent — When to Use Which
Browsers expose two encoding functions, but they serve very different purposes. Here is how to choose:
- encodeURI: encodes an entire URL. It preserves characters with special meaning, such as : / ? # [ ] @ ! $ & ' ( ) * + , ; = - . _ ~. Use this when you want to convert a complete non-ASCII URL into something transmissible.
- encodeURIComponent: encodes a single parameter or path segment. It encodes every reserved character, so the resulting fragment is safe to place inside a query parameter, a path, or a hash. This is the most common function in backend / API development — and the default implementation used by this tool.
A widespread anti-pattern is "running the whole URL through encodeURIComponent and then pasting it into an href". Doing so encodes colons and slashes into %3A / %2F, breaking the URL entirely. The correct rule: use encodeURIComponent on parameter values only, not on the whole URL.
#03
Data Security & Privacy
URL query parameters and path segments often carry sensitive information — internal API paths, user IDs, redirect targets, and so on. Submitting them to a third-party server means they can be logged and leaked.
This tool is built around the principle of "100% frontend-only operation". Every encoding and decoding operation happens locally in your browser — no input or output is sent to any server, and nothing is persisted or cached. You can even disconnect from the network and keep using it.
For highly sensitive URLs (e.g. internal APIs, addresses with tokens), we recommend working in an offline or otherwise controlled environment, or manually redacting sensitive fields before pasting, to enforce the principle of least exposure.