All processing runs in your browser — no files or inputs are uploaded to a server.
Pick Encode or Decode at the top right, paste your text, and the converted result appears live in the right pane. Encode runs the standard encodeURIComponent — every byte outside the unreserved set (A–Z, a–z, 0–9, and `-_.~`) is replaced with its `%XX` UTF-8 hex form. Decode does the reverse, throwing a clear error if the input contains a malformed `%` escape.
Reach for this when a value needs to ride through a URL: a query string parameter, a path segment, a redirect target. Forms and modern HTTP libraries usually handle encoding automatically, but you'll need a manual pass when assembling URLs by hand, debugging webhook callbacks, or pasting a tracking link a colleague sent. Everything runs in the browser, so URLs holding tokens or PII stay on your machine.
hello world & 안녕하세요
hello%20world%20%26%20%EC%95%88%EB%85%95%ED%95%98%EC%84%B8%EC%9A%94
Space becomes %20. Korean text encodes to UTF-8 first, so each Hangul syllable expands to three bytes (%XX%XX%XX). The ampersand is escaped because encodeURIComponent treats it as a value-level character — safe to drop into a query string.
%2Fposts%2F%ED%95%9C%EA%B8%80-%EC%A0%9C%EB%AA%A9%2F
/posts/한글-제목/
Slashes were encoded because encodeURIComponent treats them as value characters. Decoding restores the original UTF-8 string. If a request log shows %2F, that's a sign the producer used the component-level encoder instead of the URI-level one.
hello %2 world
URI malformed
decodeURIComponent throws when `%` is not followed by two hex digits. Common cause: pasting a URL where some characters were already decoded by the source, leaving stray `%` signs behind.
No. Percent-encoding is a reversible transformation that anyone can undo without a key. It exists to fit arbitrary text into URL syntax (where `?`, `&`, `=`, space, and `#` already carry structural meaning), not to hide content. Never use it as a security layer.
encodeURIComponent. The difference matters: encodeURI preserves URL structural characters like `:` `/` `?` `&` `#` (suitable for a *whole URL*), while encodeURIComponent escapes them too (suitable for a *single value* embedded in a URL). If you paste an entire URL and only want the query value transformed, split it manually first.
encodeURIComponent uses `%20` for spaces and never produces `+`. The `+` = space convention belongs to the older `application/x-www-form-urlencoded` format used by HTML form submissions. If your input uses `+` for spaces, replace `+` with `%20` before decoding here, or use a form-urlencoded decoder.
Modern browsers render percent-encoded UTF-8 as the original characters for readability, but they store and copy the raw encoded form for accurate transmission. The two are equivalent representations of the same URL — both decode to the same text here.
No — this tool handles only the value side (path, query, fragment). Hostnames with non-ASCII characters use Punycode (`xn--…`) instead of percent-encoding and need a different conversion. Modern browsers display the Unicode form but transmit Punycode under the hood.
These four characters form the *unreserved* set in RFC 3986. They never need escaping because they cannot be confused with URL structural characters. encodeURIComponent intentionally passes them through.
Percent-encoding (also called URL encoding) is defined by RFC 3986. Each byte outside the *unreserved* set (A–Z, a–z, 0–9, `-` `_` `.` `~`) becomes a `%` followed by two uppercase hex digits. Because URLs are byte-oriented, non-ASCII text is first converted to UTF-8, then each byte is percent-escaped — that's why a 3-byte Korean syllable expands to nine characters (`%XX%XX%XX`).
JavaScript exposes four related functions and they behave differently. `encodeURI` and `decodeURI` preserve URL structural characters (`: / ? & = # @`), suitable for whole URLs. `encodeURIComponent` and `decodeURIComponent` escape those too, suitable for individual values embedded in a URL — this tool uses the latter pair. A separate scheme, `application/x-www-form-urlencoded`, encodes spaces as `+` instead of `%20` and is what HTML forms produce; many backend frameworks accept both.
Three adjacent concepts often get confused with percent-encoding. **Base64** packs binary into ASCII text but uses `+` and `/` that themselves need URL-escaping (base64url solves this). **HTML entities** (`&`, `😀`) escape characters for HTML, not URLs. **Punycode** (`xn--…`) handles internationalized domain names because hostnames cannot use percent-encoding.
Encode text to Base64 or decode Base64 back to text. UTF-8 safe.
Decode JWT header and payload locally. Signature is not verified — paste tokens at your discretion.
Parse a URL or query string into key/value pairs, edit them, and rebuild a clean query string.
Format and validate JSON. Indented or minified output, with clear error messages.
