URL Encoder / Decoder
Percent-encode or decode URLs and query values in your browser. Two strength modes for the two common cases — query values vs whole URLs.
0 characters
0 characters
How to URL-encode or decode online
Paste your string into the Input box. Pick Encode or Decode. Pick the strength: Component uses encodeURIComponent / decodeURIComponent and is the right choice for query string values (it escapes :, /, ?, #, &, =). Whole URL uses encodeURI and leaves URL-syntax characters alone — the right choice when you have a full URL you just want to make safe.
Why a local URL encoder matters
The URLs you need to encode often contain something private: API keys in a query string, signed S3 download URLs, OAuth tokens, internal hostnames. A third-party encoder that ships those over the wire is a needless leak. ToolChop runs entirely in your browser, and once the page is loaded it works offline.
Component vs Whole URL — the bug you keep hitting
If you encode a whole URL like https://example.com/?q=hi with Component strength, the : in https:// gets escaped to %3A and the URL is no longer recognizable. If you encode a query value with Whole URL strength, an embedded & gets through and your value is interpreted as a new query parameter. The fix is to pick the right strength for the position the encoded string is going into. Component is safer when in doubt.
What you can do
- Encode/decode with Component (aggressive) or Whole URL (URL-safe) strength
- Handle UTF-8 multi-byte characters (é, 中, 🚀) correctly
- Get a clear error for malformed percent sequences
- Swap input ↔ output to round-trip or double-decode
- Run offline once the page is loaded — no upload, no server roundtrip
Frequently asked questions
How do I URL-encode a string online for free?
Paste the string into the Input box. The encoded version appears on the right instantly. Toggle to Decode to go the other way. Two strength modes — Component (encodeURIComponent, escapes everything) or Whole URL (encodeURI, preserves URL syntax). No account, no daily limit.
What is the difference between Component and Whole URL?
Component (encodeURIComponent) is the aggressive form — it escapes every reserved character including : / ? # & = +. Use it for query string VALUES (e.g. the q= in a search URL). Whole URL (encodeURI) leaves URL syntax characters alone, so you can encode an entire URL without breaking it. The wrong choice is a common bug: encoding a whole URL with encodeURIComponent escapes the : in https:// and makes the URL unusable.
When should I use encodeURIComponent vs encodeURI?
Use encodeURIComponent when building a single piece of a URL — a query value, a path segment, a fragment. Use encodeURI only when you have a full URL string and just want to escape unsafe characters like spaces. As a rule of thumb: if you are about to concatenate it with other URL pieces, use Component.
Does ToolChop upload my data?
No. URL encoding and decoding run entirely in your browser using the built-in encodeURIComponent / decodeURIComponent functions. Your input never leaves your device — useful when the URL contains API keys, OAuth tokens, signed S3 URLs, or other secrets that should not be sent to a third party.
Why does my decode fail with a URIError?
Three common causes. (1) A stray % not followed by two hex digits (e.g. %2 instead of %20). (2) A percent sequence that is not a valid UTF-8 byte (e.g. %E9% truncated mid-character). (3) You are trying to decode a string that was not actually URL-encoded. Fix the malformed sequence and re-run.
Does this handle Unicode characters?
Yes. JavaScript's encodeURIComponent emits the UTF-8 byte sequence as percent-encoded escapes. So 'café' encodes to caf%C3%A9 — the %C3%A9 is the two-byte UTF-8 encoding of é. Decoders reverse that correctly. If you are seeing mojibake, the original encoder probably used a different charset (Windows-1252, Latin-1) and ToolChop's UTF-8 decode will not match.
What about + signs — are they spaces?
Tricky. application/x-www-form-urlencoded (HTML form posts) uses + for space, but standard percent-encoding does not. encodeURIComponent / decodeURIComponent treat + as a literal plus, not a space. If you are decoding form data, replace + with space first, or use a dedicated form-encoding decoder.
Why is encodeURIComponent escaping characters that look safe?
encodeURIComponent escapes everything that is not in the safe set: A-Z a-z 0-9 - _ . ! ~ * ' ( ). That intentionally includes : / ? # & = +, because in a query string VALUE those characters are reserved and would break the parse. The aggressive default is the correct default — it is what makes the encode safe for any URL position.
Can I encode an OAuth redirect URL?
Yes — and you should. OAuth redirect_uri values must be URL-encoded with Component strength, otherwise the embedded scheme (https://) and query string get parsed by the auth server as part of its own URL. Paste your full redirect URL, pick Encode + Component, and the result is safe to embed in another query string.
Is there a length limit?
Only your browser's memory. Modern browsers handle URLs of a few megabytes without trouble. The encoder is fast — converting a 100 KB string takes a few milliseconds.
What does the Swap button do?
Swap copies the output into the input box and flips the direction — handy for round-tripping (encode then decode to verify) or for chaining (decode once, then decode again if the value was double-encoded, which is a common bug in webhooks that get URL-decoded twice).
Why use ToolChop instead of an online encoder that uploads my URL?
URLs you need to encode almost always contain something private: API keys in query strings, signed S3 download links, OAuth tokens, internal hostnames. Pasting them into a third-party encoder is a needless leak. ToolChop runs entirely in your browser and works offline once the page is loaded.