URL Encode & Decode Online – Fix Encoding Issues

You build a redirect URL, append a query parameter with a user-provided value, and the link breaks. The browser receives ?name=John Smith&city=New York and turns it into a mangled request that your backend cannot parse. Or you paste a URL into a curl command, the shell interprets the & as a background operator, and only half the parameters arrive. These are URL encoding problems — and a URL encoder online fixes them in under a second.

Percent-encoding is the mechanism that makes arbitrary text safe to include in a URL. It replaces characters that have special meaning in a URL — spaces, colons, slashes, ampersands — with a % followed by the two-digit hex code for that character. Understanding when and how to encode is one of those fundamentals that saves hours of debugging query string issues, OAuth callback errors, and redirect failures.

# Raw string — breaks when placed inside a URL:
name=John Smith&city=New York&url=https://example.com/path

# URL-encoded — safe to use as a query parameter:
name=John%20Smith&city=New%20York&url=https%3A%2F%2Fexample.com%2Fpath

# Common percent-encoded characters:
space → %20    : → %3A    / → %2F
? → %3F        & → %26    = → %3D
@ → %40        # → %23    + → %2B

What Is URL Encoding?

A URL can only contain a limited set of characters: letters, digits, and a handful of punctuation marks (-, _, ., ~). Everything else — including spaces, non-ASCII characters, and punctuation that carries meaning in the URL structure itself — must be percent-encoded before it can safely appear in a URL.

Percent-encoding, defined in RFC 3986, works by replacing each unsafe byte with % followed by its two-digit hexadecimal representation. A space becomes %20. A colon becomes %3A. A forward slash becomes %2F. The result is a string that contains only characters that every HTTP client, server, and proxy understands without ambiguity.

There is a subtle but important distinction between encoding a full URL and encoding a query parameter value. When you encode a full URL, you preserve the structural characters (://, /, ?, &). When you encode a query parameter value, you encode everything including those characters, because the value should not be interpreted as URL structure.

Why Developers Use URL Encoding

The obvious use case is building URLs that include user-provided data. But developers reach for URL encoding in several other everyday situations.

• Constructing redirect URLs. When you redirect a user to a login page and include the original destination as a redirect_uri parameter, that destination URL must be encoded. An unencoded ? or & inside the value will be interpreted as part of the outer URL structure, truncating or mangling the redirect target.
• OAuth and API authentication. OAuth 2.0 flows pass tokens, scopes, and callback URLs as query parameters. Any special character in a scope name or callback URL that is not properly encoded will cause the authorization server to reject the request with a cryptic error.
• Passing search queries. If your app forwards a user-entered search term to an API, that term must be encoded. A search for C++ programming must become C%2B%2B%20programming — otherwise the + characters vanish or are misinterpreted.
• Debugging received URLs. When your server logs show a percent-encoded URL and you need to understand what was actually requested, decoding it is the first step. Pasting it into a URL decoder is faster than reading the hex table mentally.
• Working with Base64 in URLs. Standard Base64 uses + and /, which are unsafe in URLs. See our guide on Base64 encoding and decoding for the Base64URL variant that handles this correctly.

If your API responses carry JSON payloads with encoded values, our JSON formatter guide covers how to inspect and debug those alongside your URL parameters.

How to URL Encode and Decode Online

Using the DevToolBox URL Encoder takes about ten seconds.

1. Open the tool in your browser. No account, no install, no setup required.
2. Paste your string or URL into the input box. You can paste a raw query parameter value, a full URL, or just the piece you are unsure about.
3. Choose Encode or Decode. The result appears immediately — no button to click, no page reload.
4. Copy the output and paste it back into your code, curl command, or browser address bar.

DevToolBox tools run entirely in your browser — no signup, no data sent to a server. This matters when you are working with URLs that contain internal hostnames, API keys, or user-identifying information.

Common URL Encoding Errors and How to Fix Them

# ✗ Error: space in query parameter value
GET /search?q=hello world     # space breaks the URL — request may fail or be truncated

# ✗ Error: unencoded ampersand inside a value
GET /redirect?url=https://example.com?foo=1&bar=2
# bar=2 is parsed as a separate top-level parameter, not part of the redirect URL

# ✗ Error: double-encoding
# Encoding an already-encoded string produces %25 instead of %
%20 → encoded again → %2520   # server receives literal "%20" as the value, not a space

# ✓ Correct encoding
GET /search?q=hello%20world
GET /redirect?url=https%3A%2F%2Fexample.com%3Ffoo%3D1%26bar%3D2

• Unencoded spaces. A space in a URL is technically invalid. Browsers are lenient and often convert spaces to %20 automatically, but HTTP clients and APIs are not. If you are building URLs in code, always encode spaces explicitly. Note that + is sometimes used for spaces in form-encoded query strings, but %20 is the correct percent-encoding and works everywhere.
• Unencoded ampersands in parameter values. The & character separates query parameters. If your parameter value contains an & — for example, a redirect URL with its own query string — it must be encoded as %26. Missing this is the most common cause of redirect and OAuth callback failures.
• Double-encoding. This happens when you encode a string that is already encoded. The % in %20 becomes %25, turning the sequence into %2520. The server then decodes it to the literal string %20 rather than a space. If your server is receiving %25XX sequences, you are double-encoding somewhere in your pipeline.
• Encoding the entire URL instead of just the value. When you need to include a URL as a query parameter value, encode only the value — not the outer URL structure. Encoding the full string including the outer https:// turns the ? and & delimiters into gibberish that the outer router cannot parse.
• Non-ASCII characters without encoding. If your values contain accented characters, emoji, or characters from non-Latin scripts, they must be UTF-8 encoded and then percent-encoded. Most modern HTTP libraries handle this automatically, but older or lower-level code may not.

Frequently Asked Questions

Conclusion

URL encoding is one of those things that works invisibly until it doesn't — and when it breaks, the errors are often confusing. A truncated redirect, a malformed OAuth callback, a search query that drops its special characters: all of these trace back to a missing or misapplied percent-encoding step.

The fix is usually simple once you know what to look for. Encode parameter values individually, never double-encode, and use %20 for spaces in URLs. When you are unsure whether a string is correctly encoded — or need to decode one quickly to read it — paste it into the DevToolBox URL Encoder. DevToolBox tools run entirely in your browser — no signup, no install, nothing sent to a server.