What is URL encoding?

URL encoding (also called percent encoding) converts characters that are not allowed in URLs into a format that can be transmitted safely. Each unsafe character is replaced with a percent sign (%) followed by two hexadecimal digits representing the character ASCII code. For example, a space becomes %20, an ampersand becomes %26, and a forward slash becomes %2F. This ensures URLs work correctly across all browsers and servers.

What characters need to be URL encoded?

Characters that must be URL encoded include: spaces (%20), ampersand (%26), question mark (%3F), hash (%23), percent sign (%25), plus sign (%2B), equals sign (%3D), forward slash (%2F when in data, not path), at sign (%40), colon (%3A when in data), and all non-ASCII characters like accented letters and emoji. Letters (A-Z, a-z), digits (0-9), and four special characters (hyphen, underscore, period, tilde) never need encoding.

What is the difference between %20 and + for spaces?

Both represent a space, but in different contexts. %20 is the universal percent-encoding for a space character and works everywhere in a URL — path, query string, fragment. The plus sign (+) represents a space only inside HTML form data (application/x-www-form-urlencoded). In the URL path, + is a literal plus sign, not a space. When in doubt, use %20 — it is always correct.

What are reserved characters in URL encoding?

Reserved characters have special meaning in URLs: colon (:) separates scheme from host, forward slash (/) separates path segments, question mark (?) starts the query string, hash (#) starts the fragment, at sign (@) separates user info from host, ampersand (&) separates query parameters, equals (=) separates parameter names from values, plus (+) represents a space in form data. These must be percent-encoded when used as data values rather than delimiters.

Do I need to URL encode letters and numbers?

No. Unreserved characters — uppercase letters (A-Z), lowercase letters (a-z), digits (0-9), hyphen (-), underscore (_), period (.), and tilde (~) — are never encoded. These characters are safe to use anywhere in a URL without modification. Every other character should be encoded when used in URL data values.

What RFC defines URL encoding?

RFC 3986 (Uniform Resource Identifier: Generic Syntax) defines the current standard for URL encoding. It specifies which characters are reserved, which are unreserved, and how percent-encoding works. Earlier standards include RFC 1738 (original URL spec) and RFC 2396 (predecessor to 3986). The HTML specification separately defines application/x-www-form-urlencoded encoding, which differs slightly from RFC 3986 (notably, spaces become + instead of %20).

How do I URL encode an entire string?

Paste the string into a URL encoder tool and it will convert every unsafe character to its percent-encoded equivalent. Programmatically, use encodeURIComponent() in JavaScript, urllib.parse.quote() in Python, URLEncoder.encode() in Java, or HttpUtility.UrlEncode() in C#. These functions encode all characters except unreserved ones (letters, digits, hyphen, underscore, period, tilde).

What is double URL encoding?

Double encoding happens when an already-encoded string is encoded again. For example, a space becomes %20, then %20 gets encoded to %2520 (because the % sign is encoded to %25). This is usually a bug — it means your code is encoding data twice. The result is broken URLs where %2520 appears instead of spaces. If you see %25 in your encoded URLs, check whether you are calling the encode function more than once.

URL Encoding Cheat Sheet — Every Special Character, Code & Rule in One Place

Last updated: April 20269 min readEncode & Decode Tools

URL encoding converts unsafe characters into percent-encoded values that work in any URL. A space becomes %20, an ampersand becomes %26, and a hash becomes %23. This cheat sheet covers every character code, the encoding rules, and when you actually need to encode.

If you have ever seen %20 or %26 in a URL and wondered what it means, this is the complete reference. Every special character, its encoded value, and the rule that determines whether it needs encoding or not.

Essential URL Encoding Table — Most Common Characters

These are the characters you will encode most often. Bookmark this table:

Character	Name	URL Encoded	Notes
(space)	Space	%20	Use %20 everywhere. + works only in form data.
!	Exclamation	%21	Unreserved in RFC 3986 but some APIs require encoding
"	Double Quote	%22	Always encode in URLs
#	Hash / Pound	%23	Reserved — starts fragment. Always encode in data.
$	Dollar Sign	%24	Reserved sub-delimiter
%	Percent	%25	Always encode — otherwise looks like an encoding prefix
&	Ampersand	%26	Reserved — separates query params. Always encode in values.
'	Single Quote	%27	Encode to prevent injection issues
(	Open Paren	%28	Sub-delimiter, encode in strict contexts
)	Close Paren	%29	Sub-delimiter, encode in strict contexts
*	Asterisk	%2A	Sub-delimiter
+	Plus	%2B	Reserved in form data (means space). Encode to send literal +.
,	Comma	%2C	Sub-delimiter, often left unencoded
/	Forward Slash	%2F	Reserved path delimiter. Encode when slash is data, not path.
:	Colon	%3A	Reserved — separates scheme, port. Encode in data.
;	Semicolon	%3B	Reserved sub-delimiter
<	Less Than	%3C	Always encode — HTML injection risk
=	Equals	%3D	Reserved — separates key=value pairs. Encode in values.
>	Greater Than	%3E	Always encode — HTML injection risk
?	Question Mark	%3F	Reserved — starts query string. Encode in data.
@	At Sign	%40	Reserved — separates user@host. Encode in data.
[	Open Bracket	%5B	Reserved for IPv6 addresses
\\	Backslash	%5C	Not valid in URLs — always encode
]	Close Bracket	%5D	Reserved for IPv6 addresses
^	Caret	%5E	Unsafe — always encode
`	Backtick	%60	Unsafe — always encode
{	Open Brace	%7B	Unsafe — always encode
\|	Pipe	%7C	Unsafe — always encode
}	Close Brace	%7D	Unsafe — always encode
~	Tilde	%7E	Unreserved — never needs encoding

Characters That Never Need Encoding

RFC 3986 defines these as unreserved characters — they are safe to use anywhere in a URL without encoding:

Letters: A B C D E F G H I J K L M N O P Q R S T U V W X Y Z (uppercase and lowercase)
Digits: 0 1 2 3 4 5 6 7 8 9
Four special characters: hyphen (-), underscore (_), period (.), tilde (~)

Everything else — every other character including spaces, symbols, and non-ASCII characters — should be percent-encoded when used as data in a URL.

Reserved vs Unreserved — The Core Rule

URL encoding rules come down to one question: is this character being used as a delimiter (its reserved meaning) or as data?

Category	Characters	Rule
Unreserved	A-Z a-z 0-9 - _ . ~	Never encode. These are always safe.
Reserved (delimiters)	: / ? # [ ] @ ! $ & \' ( ) * + , ; =	Do NOT encode when used as URL structure (path separator, query marker, etc.)
Reserved (as data)	Same characters as above	MUST encode when the character appears inside a data value (query parameter value, path segment data)
Unsafe / Other	space " < > { } \| \\ ^ ` and all non-ASCII	Always encode. These characters are never valid in raw URLs.

Example: In https://example.com/search?q=tom&jerry, the & is a delimiter separating query parameters. But if the search term is literally "tom&jerry" (one value), the & must be encoded: ?q=tom%26jerry.

Non-ASCII Characters (Unicode, Emoji, Accents)

Characters outside the ASCII range — accented letters (e, u), Chinese/Japanese/Korean characters, emoji — are encoded by first converting to UTF-8 bytes, then percent-encoding each byte.

e (e-acute) → UTF-8 bytes: C3 A9 → URL encoded: %C3%A9
u (u-umlaut) → UTF-8 bytes: C3 BC → URL encoded: %C3%BC
Emoji can produce 4+ encoded segments since they are 4 bytes in UTF-8

Modern browsers display the decoded characters in the address bar for readability, but the actual HTTP request uses the percent-encoded form.

URL Encoding in Different Programming Languages

Every language handles URL encoding slightly differently. Here is the correct function to use in each:

Language	Encode Function	Encodes Spaces As	Notes
JavaScript	encodeURIComponent()	%20	Encodes everything except A-Z a-z 0-9 - _ . ! ~ * \' ( )
Python 3	urllib.parse.quote()	%20	Use quote_plus() if you need + for spaces (form encoding)
Java	URLEncoder.encode()	+ (plus)	Returns + for spaces. Replace + with %20 if needed for path encoding.
C#	HttpUtility.UrlEncode()	+ (plus)	Use Uri.EscapeDataString() for %20 instead of +
PHP	urlencode()	+ (plus)	Use rawurlencode() for %20 instead of +
Go	url.QueryEscape()	+ (plus)	Use url.PathEscape() for %20 instead of +
Ruby	CGI.escape()	+ (plus)	Use ERB::Util.url_encode() for %20

Notice the pattern: most languages default to + for spaces (form encoding). If you need %20 (path encoding), look for the "raw" or "component" variant of the function.

Common URL Encoding Mistakes

Double encoding: Encoding an already-encoded string turns %20 into %2520. If you see %25 in your URLs, you are encoding twice.
Encoding the entire URL: Only encode the data values in a URL, not the structure. https%3A%2F%2F is wrong — the :// and / are structural delimiters, not data.
Using + in the URL path: In the path portion of a URL, + is a literal plus sign, not a space. /search/hello+world means "hello+world", not "hello world". Use %20 in paths.
Forgetting to encode #: The hash character starts a URL fragment. If your data contains #, it will silently truncate the URL at that point unless encoded as %23.
Not encoding & in values: An unencoded & in a query value will be interpreted as a parameter separator, splitting your value into two broken parameters.

Pair These Tools Together

URL Encoder Decoder — encode and decode URLs instantly
HTML Entities Encoder — encode special characters for HTML
Base64 Encoder Decoder — convert data to and from Base64
JWT Decoder — decode JSON Web Tokens to inspect payloads
JSON Formatter — format and validate JSON data
Regex Tester — test patterns for extracting or matching encoded strings
Diff Checker — compare encoded vs decoded versions of a URL
Find & Replace — bulk replace encoded characters in text
Password Generator — generate passwords, then URL-encode them for API auth strings

Honest Limitations

This cheat sheet covers standard URL encoding per RFC 3986. Some APIs and platforms have additional encoding requirements — for example, OAuth 1.0 requires encoding of all characters except unreserved ones using uppercase hex digits. Amazon S3 URLs have specific encoding rules for object keys. Always check the specific API documentation for edge cases beyond the standard.

Encode or decode any URL right now — paste your text and get the result instantly.

Open URL Encoder Decoder

URL Encoding Cheat Sheet — Every Special Character, Code & Rule in One Place

Essential URL Encoding Table — Most Common Characters

Characters That Never Need Encoding

Reserved vs Unreserved — The Core Rule

Non-ASCII Characters (Unicode, Emoji, Accents)

URL Encoding in Different Programming Languages

Common URL Encoding Mistakes

Pair These Tools Together

Honest Limitations

Related Posts

Free URL Encoder Decoder

URL Encode Space: + vs %20

Best URL Encoder Tools (2026)

Free URL Encoder No Signup