URL Encoding Explained: When (and How) to Percent-Encode Your URLs
Why URLs Need Encoding
URLs are not allowed to contain arbitrary characters. The spec (RFC 3986) limits them to a small set: letters, digits, and a handful of punctuation marks. Anything outside that set — spaces, accented letters like `é`, CJK characters, emojis, ampersands inside a value, or even a forward slash that's part of data rather than path — has to be **percent-encoded**.
Percent encoding is simple: take the character's UTF-8 byte representation and write each byte as `%` followed by two hex digits. A space becomes `%20`. A `&` becomes `%26`. The letter `é` (two UTF-8 bytes) becomes `%C3%A9`.
The Two Functions Everyone Confuses
JavaScript ships two encoding functions and developers mix them up constantly:
The rule of thumb: **building a URL from pieces? Use `encodeURIComponent` on each piece. Cleaning up a URL someone gave you? Use `encodeURI`.**
Our [URL Encoder/Decoder](/url-encoder-decoder) exposes both as "Component" and "Full URL" modes.
A Concrete Example
Say you want a URL like:
```
https://api.example.com/search?q=hello & world&lang=en
```
If you naively paste this into a browser, the `&` inside the value `hello & world` will be interpreted as a new query parameter named ` world`. Wrong. The right way is to encode the **value** with `encodeURIComponent`:
```
q = encodeURIComponent("hello & world") // → "hello%20%26%20world"
url = "https://api.example.com/search?q=" + q + "&lang=en"
```
The final URL is `...?q=hello%20%26%20world&lang=en` — the encoded `&` (`%26`) is now safely part of the value, and the literal `&` between `q` and `lang` correctly separates parameters.
Decoding: The Mirror Image
Decoding reverses the process. `%20` becomes a space, `%26` becomes `&`, `%C3%A9` becomes `é`. Two things go wrong most often:
When Encoding Bites You
Real-world traps:
Security Angle
URLs often carry sensitive data: API keys, OAuth state, signed S3 URLs, session tokens, customer IDs. Online encoder tools that POST your URL to a server can log it, breach it, or leak it through analytics. Look for tools that explicitly process **locally in the browser**.
Ours does — encoding and decoding both happen via the native `encodeURI` / `decodeURIComponent` APIs in your browser. The URL never leaves your device. You can verify this in your browser's network tab: clicking Encode or Decode triggers exactly one tiny credit deduction request, which contains no URL data.
A Quick Workflow
A practical pattern when you're debugging a broken URL:
Conclusion
URL encoding is one of those topics that looks trivial until it bites you in production with a corrupted query string or a 404 on a path you swore was valid. Once you internalize the distinction between **encoding a value** and **encoding a whole URL**, 90% of the bugs disappear. The other 10% — double encoding, plus-vs-space, fragment edge cases — get easier when you have a fast, local tool to decode and re-encode without round-tripping through a server. Our [URL Encoder/Decoder](/url-encoder-decoder) does exactly that, with both modes one click apart.