What is percent encoding?

Percent encoding (URL encoding) represents bytes as % followed by two hex digits (e.g., space → %20). For text, UTF-8 bytes are typically encoded, so non-ASCII characters become multiple %XX sequences. It keeps delimiters in URLs unambiguous.

Which characters are reserved in URLs?

RFC 3986 reserves : / ? # [ ] @ ! $ & ' ( ) * + , ; = for structural roles in URIs. Encoding them when they are data—not syntax—prevents parsers from mis-splitting scheme, authority, path, and query.

What is the difference between encodeURI and encodeURIComponent?

encodeURI is meant for mostly intact URIs: it encodes characters that break parsing but leaves :, /, ?, #, etc. encodeURIComponent encodes almost everything except A–Z a–z 0–9 - _ . ~ — use it for query parameter values and form data.

How does UTF-8 appear in URLs?

Each UTF-8 byte becomes its own percent escape. For example, é is two bytes in UTF-8, so you may see two escapes. Servers and clients must agree on UTF-8; legacy systems sometimes mishandle this.

When should I encode URLs?

Encode user-supplied or dynamic values before placing them in query strings or path segments. Do not double-encode. If you are moving arbitrary binary as text, consider [Base64 Encoder](/base64-encoder) instead of percent-encoding raw bytes in URLs.

URL Encoder & Decoder — Percent Encoding

Percent encoding keeps URLs unambiguous when data contains reserved characters or non-ASCII text. WMCoder encodes and decodes so you can debug APIs, redirects, and query strings fast.

Try it now: Open the free URL Encoder & Decoder — Percent Encoding tool — no sign-up required.

Why URL encoding matters

URLs are parsed by position: scheme, authority, path, query, fragment. If a space, &, or # appears inside data meant for a query value, the client may treat it as a delimiter. Percent encoding replaces problematic bytes with %HH so the structure stays intact. Modern stacks assume UTF-8 for IRIs; getting encoding wrong shows up as Mojibake, broken OAuth redirects, or APIs that reject signatures because the canonical string did not match what was actually sent.

Some frameworks automatically decode once when binding parameters, then encode again on redirect—if your code also encodes, you can accidentally ship double-encoded values. Logging should capture both the wire form and the logical value when debugging internationalized slugs or email addresses in paths.

Reserved characters and components

Not every part of a URL follows the same rules. A slash in a path segment often must be encoded as %2F when it is data, but slashes that separate segments stay literal. Hash fragments (#) are not sent to the server in HTTP requests—encoding decisions there affect client-side routing. When building signed URLs or caches, document exactly which encoding normalization you use; mismatches between languages (Java vs JavaScript vs Go) cause subtle production bugs.

Encoding across languages and tools

Browsers expose encodeURI / encodeURIComponent; server frameworks offer equivalents. Libraries for HTTP clients usually encode form bodies per application/x-www-form-urlencoded. When hand-building strings, prefer library helpers over manual concatenation. For opaque binary in headers or bodies, percent encoding in the URL is rarely right—use proper multipart, raw body, or Base64 Encoder. To fingerprint canonical URL strings for caching or deduplication, Hash Generator can help compare normalized forms.

Using WMCoder effectively

Paste the string you are unsure about and decode it to see the literal text—or encode untrusted input before it hits a redirect URL. If you are debugging APIs, compare encoded query keys and values against server logs. Keep one source of truth for whether parameters were encoded once or twice; double encoding produces %2520 instead of %20 and breaks many consumers.

Signed callbacks, OAuth, and canonical strings

OAuth 2.0 and many webhooks sign a canonical representation of the request—method, path, sorted query keys, or a hash of the body. If your client encodes space as + in one place and %20 in another, or sorts parameters differently than the server, validation fails even though both sides “look” right in the browser. Document whether + in query strings means space (common for application/x-www-form-urlencoded) versus a literal plus that must stay encoded. When payloads are JSON, validate structure with JSON Formatter before you argue about the signature input. For opaque binary in a header or body field, Base64 Encoder is usually cleaner than trying to percent-escape raw bytes inside a URL.

Frequently Asked Questions

What is percent encoding?: Percent encoding (URL encoding) represents bytes as % followed by two hex digits (e.g., space → %20). For text, UTF-8 bytes are typically encoded, so non-ASCII characters become multiple %XX sequences. It keeps delimiters in URLs unambiguous.
Which characters are reserved in URLs?: RFC 3986 reserves : / ? # [ ] @ ! $ & ' ( ) * + , ; = for structural roles in URIs. Encoding them when they are data—not syntax—prevents parsers from mis-splitting scheme, authority, path, and query.
What is the difference between encodeURI and encodeURIComponent?: encodeURI is meant for mostly intact URIs: it encodes characters that break parsing but leaves :, /, ?, #, etc. encodeURIComponent encodes almost everything except A–Z a–z 0–9 - _ . ~ — use it for query parameter values and form data.
How does UTF-8 appear in URLs?: Each UTF-8 byte becomes its own percent escape. For example, é is two bytes in UTF-8, so you may see two escapes. Servers and clients must agree on UTF-8; legacy systems sometimes mishandle this.
When should I encode URLs?: Encode user-supplied or dynamic values before placing them in query strings or path segments. Do not double-encode. If you are moving arbitrary binary as text, consider [Base64 Encoder](/base64-encoder) instead of percent-encoding raw bytes in URLs.

Ready to try it yourself?

Use URL Encoder & Decoder — Percent Encoding for Free