iToolVerse Logo
iToolVersev4.6

URL Encoder

Encode text, build URLs from scratch, pick the right strictness

Encode any text for safe use in a URL, or assemble a URL from scheme, host, path, and query parameters with each part encoded correctly. Pick between full-URL, value, form-encoded (+ for space), and strict RFC 3986 modes. Includes a complete character → %XX reference with per-character explanations, format-specific recipes (mailto:, OAuth, sms:, form post, …), and a batch mode.

Need to decode instead? Use the URL Decoder.
Go to URL Decoder

Input text

Encoding mode

Encoded output
Value / parameter

Encoded output will appear here.

Related web tools

URL Decode
Decode URLs, parse query parameters, and strip tracking codes (utm_*, fbclid, gclid)
Base64 Encode
Encode text to Base64 format
Base64 Decode
Decode Base64 encoded text
JSON Beautify
Format, validate, and convert JSON — generate TypeScript, Go, Python, Pydantic, Rust types; tree view; auto-unstringify Redis-style JSON
Regex Tester
Test and validate regular expressions with real-time highlighting
HTML Viewer
Preview HTML & SVG live in your browser — works unblocked on Chromebooks, iPads, and locked-down devices

Encoding recipes for common formats

Eight real-world scenarios where you need to encode — with the right mode, a sample, and the encoded output. Click a card to expand.

Character → Encoding Reference

Every common character with its percent-encoded form. Click a row for a longer explanation of where the character matters in URL syntax.

CharacterNameEncodedUnicodeType
· (space)Space%20U+0020
encoded
!Exclamation mark%21U+0021
reserved
"Double quote%22U+0022
encoded
#Hash / number sign%23U+0023
reserved
$Dollar sign%24U+0024
reserved
%Percent sign%25U+0025
encoded
&Ampersand%26U+0026
reserved
'Apostrophe%27U+0027
reserved
(Left parenthesis%28U+0028
reserved
)Right parenthesis%29U+0029
reserved
*Asterisk%2AU+002A
reserved
+Plus sign%2BU+002B
reserved
,Comma%2CU+002C
reserved
/Forward slash%2FU+002F
reserved
:Colon%3AU+003A
reserved
;Semicolon%3BU+003B
reserved
<Less-than sign%3CU+003C
encoded
=Equals sign%3DU+003D
reserved
>Greater-than sign%3EU+003E
encoded
?Question mark%3FU+003F
reserved
@At sign%40U+0040
reserved
[Left square bracket%5BU+005B
reserved
\Backslash%5CU+005C
encoded
]Right square bracket%5DU+005D
reserved
^Caret%5EU+005E
encoded
`Backtick%60U+0060
encoded
{Left curly brace%7BU+007B
encoded
|Pipe%7CU+007C
encoded
}Right curly brace%7DU+007D
encoded
~Tilde%7EU+007E
encoded
↵ (LF)Line feed (LF)%0AU+000A
encoded
↵ (CR)Carriage return (CR)%0DU+000D
encoded
→ (tab)Tab%09U+0009
encoded

Reservedcharacters have special meaning in URL syntax — encode them inside values to avoid changing the URL's structure. Encodedcharacters aren't valid as literals in URLs at all. Letters, digits, and - . _ ~ are unreserved and never need encoding.

When and why each character is encoded

One short section per character — useful when you're composing a URL and unsure whether a specific character needs encoding.

Encode space (· (space)) → %20

Spaces are not allowed in URLs and must always be percent-encoded. In application/x-www-form-urlencoded bodies (HTML form posts), spaces are encoded as `+` instead.

Encode exclamation mark (!) → %21

Reserved sub-delim. Modern encoders leave it unencoded in path components.

Encode double quote (") → %22

Always encoded — invalid as a literal character in URLs.

Encode hash / number sign (#) → %23

Reserved as the fragment separator (everything after `#` is the fragment). Must be encoded inside path or query values.

Encode dollar sign ($) → %24

Reserved sub-delim — usually left unencoded in path components.

Encode percent sign (%) → %25

A literal `%` must be encoded as `%25` — otherwise it starts a percent-encoded sequence and decoders will throw.

Encode ampersand (&) → %26

Separator between query parameters. Must be encoded inside a parameter value or it breaks parsing.

Encode apostrophe (') → %27

Sub-delim. Often encoded by encoders even when allowed, to be safe.

Encode left parenthesis (() → %28

Sub-delim. Usually left unencoded in modern URLs.

Encode right parenthesis ()) → %29

Sub-delim. Usually left unencoded in modern URLs.

Encode asterisk (*) → %2A

Sub-delim. Often encoded in older systems; modern URLs typically leave it as-is.

Encode plus sign (+) → %2B

Special case: in standard URLs `+` is a literal `+`. In `application/x-www-form-urlencoded` data (HTML form submissions and query strings posted by forms), `+` is a SPACE — many bugs live here.

Encode comma (,) → %2C

Sub-delim. Common in faceted-navigation URLs as a value separator (e.g. `colors=red,blue`).

Encode forward slash (/) → %2F

Path separator. Must be encoded inside a path segment or query value to avoid being interpreted as a new path level.

Encode colon (:) → %3A

Reserved separator (between scheme/host, between host/port, between user/password in userinfo).

Encode semicolon (;) → %3B

Sub-delim. Historically used as a path-parameter separator (rare today).

Encode less-than sign (<) → %3C

Always encoded — security-sensitive (used in XSS attacks if leaked into HTML).

Encode equals sign (=) → %3D

Separator between query parameter name and value. Must be encoded inside a value.

Encode greater-than sign (>) → %3E

Always encoded — security-sensitive (used in XSS attacks if leaked into HTML).

Encode question mark (?) → %3F

Reserved — marks the start of the query string. Must be encoded inside a path or value.

Encode at sign (@) → %40

Reserved — separates userinfo from the host in `user@host`. Common in encoded email addresses.

Encode left square bracket ([) → %5B

Reserved — wraps IPv6 literal addresses in URLs (e.g. `http://[::1]/`).

Encode backslash (\) → %5C

Not valid in URLs and must be encoded. Browsers often silently convert to `/`.

Encode right square bracket (]) → %5D

Reserved — closes IPv6 literal addresses.

Encode caret (^) → %5E

Always encoded — not in the URL unreserved set.

Encode backtick (`) → %60

Always encoded — not in the URL unreserved set.

Encode left curly brace ({) → %7B

Always encoded — frequently appears in JSON values passed through query parameters.

Encode pipe (|) → %7C

Always encoded.

Encode right curly brace (}) → %7D

Always encoded — frequently appears in JSON values passed through query parameters.

Encode tilde (~) → %7E

Unreserved — should not be encoded, but older encoders sometimes do.

Encode line feed (lf) (↵ (LF)) → %0A

Newline. Always encoded — security-sensitive (CRLF injection).

Encode carriage return (cr) (↵ (CR)) → %0D

Always encoded — security-sensitive (CRLF injection in HTTP headers).

Encode tab (→ (tab)) → %09

Always encoded.

Encoding non-ASCII characters (UTF-8)

Anything outside ASCII (accented letters, ideographs, emoji) is converted to its UTF-8 byte sequence and each byte is percent-encoded. A few common examples:

CharacterNameEncoded
ée with acute (French, Spanish)%C3%A9
üu with diaeresis (German)%C3%BC
en dash%E2%80%93
left curly quote%E2%80%9C
check mark%E2%9C%93
🚀rocket emoji (4-byte sequence)%F0%9F%9A%80

Batch encode

Paste many values, one per line. Useful for batch URL generation, analytics tagging, and bulk migrations.

Mode:

URL Encoding Reference

What URL encoding actually does, which mode to use when, and how to encode the same value in different programming languages.

What is URL encoding?

URLs can only contain a small set of ASCII characters. Anything else — spaces, accented letters, emoji, symbols with special meaning like ? & = #, or bytes outside ASCII — must be written as %XX where XX is two hex digits. URL encoding (also called percent-encoding) is the process of producing those %XX sequences.

Which mode should I use?

Full URL

Encodes the whole URL but leaves URL-structural characters (/ : ? & = #) alone, so the result is still a valid URL. Use when you have a URL with spaces or accents in the path and want it normalized.

Value / parameter

Encodes everything outside the unreserved set. Use when you have a single piece — one path segment, one query value, one fragment — that will be plugged into a URL.

Form-encoded

Same as Value but spaces become + instead of %20. Match this when posting to an endpoint expecting application/x-www-form-urlencoded.

Strict RFC 3986

JavaScript's built-in encodeURIComponent leaves ! * ' ( ) unencoded even though RFC 3986 classifies them as reserved sub-delimiters. Strict mode encodes them too — needed by some OAuth providers and signature schemes (AWS, Twitter API v1).

Encoding in different languages

JavaScript / TypeScript

// Full URL
encodeURI('https://x.com/a b')

// Value
encodeURIComponent('hello world!')

// Form-encoded
new URLSearchParams({q: 'hello world'}).toString()
// 'q=hello+world'

// Strict RFC 3986
encodeURIComponent(s).replace(/[!'()*]/g,
  c => '%' + c.charCodeAt(0).toString(16))

Python

from urllib.parse import quote, quote_plus, urlencode

# Value (strict by default — encodes !*'()
quote('hello world!')        # 'hello%20world%21'

# Form-encoded (+ for space)
quote_plus('hello world')    # 'hello+world'

# Build a query string from a dict
urlencode({'q': 'hello world'})

PHP

// Value
rawurlencode('hello world!');
// 'hello%20world%21'

// Form-encoded (+ for space)
urlencode('hello world');
// 'hello+world'

// Build a query string from an array
http_build_query(['q' => 'hello world']);

Ruby

require 'cgi'
require 'uri'

# Form-encoded (+ for space)
URI.encode_www_form_component('hello world')
# 'hello+world'

# Build a query string
URI.encode_www_form(q: 'hello world')

Go

import "net/url"

// Form-encoded (+ for space)
url.QueryEscape("hello world")
// "hello+world"

// Path-safe (%20 for space)
url.PathEscape("hello world")
// "hello%20world"

Bash / Shell

# With python
python3 -c "import sys, urllib.parse as p;
print(p.quote(sys.argv[1]))" 'hello world'

# With jq
jq -rn --arg v 'hello world' '$v | @uri'

# Native (POSIX)
printf '%s' "hello world" | \
  od -An -tx1 -v | tr -d ' \n' | \
  sed 's/../%&/g'

Gotchas that bite developers

Double encoding

If you encode an already-encoded string, every % in it becomes %25, so %20 turns into %2520. This usually means data passes through one encoding layer too many. The encoder above warns you when the input already looks encoded.

Encoding the whole URL with the wrong mode

If you pass a full URL through Value / parameter mode, the slashes, colons, and question marks get encoded — and the URL becomes a single opaque blob. Use Full URL for whole URLs, or build the URL piece-by-piece using the Build URL tab.

Spaces: + vs %20

In strict URL syntax, + is a literal plus and spaces are always %20. But HTML forms encode spaces as + in their application/x-www-form-urlencoded body. Pick Form-encoded mode when your target expects that.

Encoding path segments individually

For paths like /users/My Document.pdf, encode each segment separately — never encode the whole path at once, or the / separators get encoded too. The Build URL tab handles this for you.

Security: never trust input

Encoding prevents URL parsing bugs but isn't a security feature. If decoded data is later injected into HTML, SQL, or a shell command, you still need contextual sanitization at that boundary.

URL encoder FAQs

Common questions about URL encoding, percent-encoded characters, and URL formats.