Which characters are left unencoded?

RFC 3986 defines the unreserved set as A-Z, a-z, 0-9 and the four marks hyphen, period, underscore, and tilde. Everything else, including spaces and reserved punctuation, is percent-encoded so the result is safe in any URL position.

How are non-ASCII characters handled?

Each character is first encoded to UTF-8 bytes, then every byte becomes a %XX escape. So a single emoji can expand to four escapes such as %F0%9F%98%80. Decoding reverses this and reassembles the original UTF-8 text.

Is this the same as encodeURIComponent?

It matches encodeURIComponent for the unreserved set but is slightly stricter: characters like the exclamation mark and asterisk that older browsers leave alone are also encoded, giving you the full RFC 3986 component-safe form.

Why are the hex digits uppercase?

RFC 3986 recommends uppercase hexadecimal in percent-escapes for consistency, so %2F is preferred over %2f. Decoders accept either case, but emitting uppercase keeps output canonical and comparable.

Can I decode a malformed string?

If a percent sign is not followed by two valid hex digits, the decode is invalid and the tool reports an error rather than guessing. Fix the stray percent sign or escape it as %25 and try again.

Percent / URL Encoding

Percent-encoding is how arbitrary text and bytes are made safe to carry inside a URL. This tool converts any string into RFC 3986 %XX escapes and back again, handling full Unicode through UTF-8 so the round trip is always lossless.

How it works

Encoding walks the UTF-8 bytes of your input. Any byte whose character is in the unreserved set is emitted as-is; every other byte becomes a percent sign followed by its two-digit uppercase hex value:

unreserved = A-Z a-z 0-9 - . _ ~
"a b!" -> "a%20b%21"
"é"    -> "%C3%A9"   (two UTF-8 bytes)

Decoding scans for a % followed by exactly two hex digits, collects those raw bytes, then re-interprets the byte stream as UTF-8 to rebuild the original text.

Example and notes

The string name=José & co encodes to name%3DJos%C3%A9%20%26%20co. Note that the reserved characters =, &, and the space are all escaped, which is exactly what you want when placing a value inside a single query parameter. If you only need to protect a whole URL’s structure rather than one component, fewer characters need escaping, but encoding the full component set is always safe.