What does the "strict" encoding mode do extra?

Standard `encodeURIComponent` does not encode the characters `! * ' ( )` because RFC 3986 marks them as "unreserved". In practice **some servers and OAuth flows treat them as reserved** when they appear inside a value, especially when signing requests. **Strict** mode encodes them too (`!` → `%21`, `*` → `%2A`, `'` → `%27`, `(` → `%28`, `)` → `%29`). Use it when integrating with OAuth 1.0, AWS Signature v4, or any signing scheme where mismatched encoding breaks the signature.

Why does decoding fail with "URI malformed"?

A **valid percent-encoded sequence** is `%` followed by **two hex digits** (`%20`, `%E2`, `%9C`). If you have a lone `%` followed by something else (`%Z`, `%2`, `%`) the decoder cannot match it to a byte. **Common causes**: text was encoded twice and then decoded once, a `%` sign appears as literal data (a price tag like "50% off") inside an already-encoded string, or the source got truncated mid-sequence. **Fix**: either re-encode the `%` as `%25`, or strip the broken sequence.

What does it mean when a query parameter has no value?

A URL like `?flag&debug=true&verbose` contains **two parameters without an equals sign** (`flag`, `verbose`). The HTML spec leaves the interpretation up to the server: some treat them as `true` booleans, some as empty strings, some as missing. **This tool shows them as `null`** to make the distinction visible: `?key=` (empty value) is different from `?key` (no value at all). Frameworks like Express, Rails and ASP.NET each handle this slightly differently, worth checking your backend if you rely on it.

How does the parser handle duplicate query keys like ?a=1&a=2?

**Both values are kept**, in the order they appeared in the URL. The table shows the key once with a **"2× duplicate"** badge and lists both values stacked. This matches how the native **`URLSearchParams.getAll(key)`** API works. **Real-world usage**: faceted search (`?tag=a&tag=b&tag=c`), array form fields (`?items[]=1&items[]=2`, the brackets are part of the key), or PHP-style nested keys (`?a[]=1&a[]=2`, which PHP reads as an array).

Why does the path show segments as a separate list?

A path like `/api/v1/users/42/posts` is a hierarchy: **API root → version → resource → id → sub-resource**. Splitting it into a numbered list of segments makes the structure visible at a glance and shows you whether any segment has unexpected **percent-encoding** (a misplaced `%20` inside a path segment usually means a frontend forgot to use `encodeURIComponent`).

Is it safe to put a password in a URL like https://user:pass@example.com?

**No, it is a bad practice**, and modern browsers warn you about it. The credentials end up in **server access logs, referrer headers, browser history, and HTTP proxies**. The URL format supports it for legacy reasons (FTP, basic auth bookmarklets), but for real authentication use **HTTP Basic Auth via the Authorization header**, an **API key in a custom header**, or a **session cookie**. The tool parses the userinfo part for debugging, but the password is masked with bullets so you do not accidentally screenshot it.

What is the fragment (the part after #)?

The **fragment** (also called the **anchor** or **hash**) is everything after the `#` in a URL. It is meant for **in-page navigation**: `page.html#section` jumps to the element with `id="section"`. It is **never sent to the server** by the browser, it stays in the client. Modern single-page apps (React Router in hash mode, old Angular) used to store the entire app state there to avoid server config (`#/users/42`). The tool parses it as a string, you would interpret the structure yourself.

Why is my accented character turning into something like %C3%A9?

URLs can only contain a **limited set of ASCII characters**. Anything outside that range (accented letters, Chinese characters, emoji) has to be **encoded as UTF-8 bytes** in percent notation. The letter **é** is 2 UTF-8 bytes: `0xC3 0xA9` → `%C3%A9`. **Café** becomes `Caf%C3%A9`. This is the correct behaviour, every modern browser and server expects URLs in this form. The tool decodes them back to readable text in the output.

Does this tool send my URL to a server?

**No.** Everything runs in your browser. The encoding, decoding and parsing all use **native JavaScript APIs** (`encodeURI`, `decodeURIComponent`, `new URL()`, `URLSearchParams`). No network call leaves the page, no log is written, nothing is stored. Safe for **internal company URLs, links with API keys, or anything sensitive** you would not paste into a random web form.

URL encoder and decoder - free

How do I encode, decode and parse a URL?

You need to put a search phrase into a link. You copied a URL with percent signs everywhere and you want to read what is actually inside. You are debugging an API and the query string looks like a wall of %20 and &. This tool covers all three.

Three modes in one place: Encode turns plain text into a safe URL fragment, Decode reverses it, Parse splits a full URL into its parts (scheme, host, port, path, query, fragment) and lays the query parameters into a table with proper handling of duplicates, missing values and encoded keys.

Everything runs in your browser. No network calls, no logs, no copies left behind.

How to use it

Pick a mode at the top: Encode, Decode or Parse. The input box changes its hint to match.
In Encode mode pick a strategy: encodeURI (encodes only unsafe chars, leaves reserved chars like `?&=` alone), encodeURIComponent (encodes the value of a single query parameter), or strict (the most aggressive, also encodes `! * ' ( )`).
In Decode mode paste a percent-encoded string. The tool flags malformed sequences like `%E0%A4` with a clear error instead of crashing silently.
In Parse mode paste a full URL like `https://user:pass@example.com:8443/api/v1/items?a=1&a=2&q=hello%20world&flag#section`. You get a table with scheme, username, password, host, port, path, query, fragment, plus the path split into segments and the query split into key/value rows.
Click Copy to copy the output. Click Load sample to populate the box with a representative example.
For query parameters the tool handles duplicates (`?a=1&a=2` shows both values with a "2× duplicate" badge), missing values (`?flag` shows as null), and percent-encoded keys (the original raw key sits next to the decoded one).

When this is useful

The most common situations where one of the three modes saves a few minutes of frustration:

Pasting a search phrase into a URL. You want a "share this search" link with a query like `?q=hello world & friends`. Spaces, ampersands and quotes break the URL. Encode mode turns it into a safe string you can drop straight into the link.
Reading a tracking link from an email. You got a marketing email and the link looks like a soup of percent signs. Decode mode shows you the actual destination, including any UTM tags, before you click.
Debugging an API call. The frontend sends a request and the server logs show `query=hello%20world%26friends`. Decode confirms what the server actually received versus what the frontend thought it sent.
Understanding a complex URL. A teammate sends a link with basic auth credentials, a non-default port, a long path and 10 query parameters. Parse mode lays it out as a table so you can see what is going where without squinting.
Validating a URL before storing it. You accept user-submitted URLs (a job board, a portfolio site). Parse mode flags invalid URLs with the native error message, so you can reject them before they hit your database.
Handling query strings with duplicates. A faceted-search URL has `?tag=react&tag=typescript&tag=nextjs`. The standard `URLSearchParams` gives you a flat list, but seeing all three values grouped under one key in the table makes the structure obvious.

For HTML-context escaping (showing `<` or `&` as literal text on a page) use the HTML entities encoder. For binary payloads, auth headers, or data URLs use the Base64 encoder.

Questions and answers

encodeURI is for encoding a whole URL. It leaves alone the characters that have a structural meaning in a URL: `: / ? & = # @ ; , $ +`. Use it when you have a complete URL with spaces or accented letters in it and you want to make it safe to use as `href`. encodeURIComponent is for encoding one piece of a URL (typically a query parameter value). It encodes those structural characters too, because inside a value `?` or `&` would be misread as a separator. Rule of thumb: encoding a full URL → encodeURI, encoding `value` in `?key=value` → encodeURIComponent.

How do I encode, decode and parse a URL?

Everything runs in your browser. No network calls, no logs, no copies left behind.

How to use it

Pick a mode at the top: Encode, Decode or Parse. The input box changes its hint to match.

In Encode mode pick a strategy: encodeURI (encodes only unsafe chars, leaves reserved chars like `?&=` alone), encodeURIComponent (encodes the value of a single query parameter), or strict (the most aggressive, also encodes `! * ' ( )`).

In Decode mode paste a percent-encoded string. The tool flags malformed sequences like `%E0%A4` with a clear error instead of crashing silently.

In Parse mode paste a full URL like `https://user:pass@example.com:8443/api/v1/items?a=1&a=2&q=hello%20world&flag#section`. You get a table with scheme, username, password, host, port, path, query, fragment, plus the path split into segments and the query split into key/value rows.

Click Copy to copy the output. Click Load sample to populate the box with a representative example.

For query parameters the tool handles duplicates (`?a=1&a=2` shows both values with a "2× duplicate" badge), missing values (`?flag` shows as null), and percent-encoded keys (the original raw key sits next to the decoded one).

When this is useful

The most common situations where one of the three modes saves a few minutes of frustration:

Pasting a search phrase into a URL. You want a "share this search" link with a query like `?q=hello world & friends`. Spaces, ampersands and quotes break the URL. Encode mode turns it into a safe string you can drop straight into the link.
Reading a tracking link from an email. You got a marketing email and the link looks like a soup of percent signs. Decode mode shows you the actual destination, including any UTM tags, before you click.
Debugging an API call. The frontend sends a request and the server logs show `query=hello%20world%26friends`. Decode confirms what the server actually received versus what the frontend thought it sent.
Understanding a complex URL. A teammate sends a link with basic auth credentials, a non-default port, a long path and 10 query parameters. Parse mode lays it out as a table so you can see what is going where without squinting.
Validating a URL before storing it. You accept user-submitted URLs (a job board, a portfolio site). Parse mode flags invalid URLs with the native error message, so you can reject them before they hit your database.
Handling query strings with duplicates. A faceted-search URL has `?tag=react&tag=typescript&tag=nextjs`. The standard `URLSearchParams` gives you a flat list, but seeing all three values grouped under one key in the table makes the structure obvious.

For HTML-context escaping (showing `<` or `&` as literal text on a page) use the HTML entities encoder. For binary payloads, auth headers, or data URLs use the Base64 encoder.

Questions and answers

URL encoder and decoder

How do I encode, decode and parse a URL?

How to use it

When this is useful

Questions and answers

Related tools

Base64 Encoder

JSON formatter

JWT decoder

URL encoder and decoder

How do I encode, decode and parse a URL?

How to use it

When this is useful

Questions and answers

Related tools

Base64 Encoder

JSON formatter

JWT decoder