What is "xn--" and why do domains start with it?

"xn--" is the ACE (ASCII-Compatible Encoding) prefix. DNS on the wire only understands ASCII letters, digits, and hyphens, so a domain like "例え.jp" cannot travel as-is. Each label with non-ASCII characters is run through the RFC 3492 Punycode algorithm — which packs the Unicode code points into ASCII — and tagged with "xn--" so resolvers know to decode it back for display. "例え" becomes "xn--r8jz45g", and the full host is "xn--r8jz45g.jp".

Why does my browser show "xn--..." instead of the pretty domain?

Browsers decode Punycode for display only when the label passes their IDN display policy. Chrome and Firefox deliberately show the raw "xn--" form when a label mixes scripts (e.g. Latin + Cyrillic) or matches a known homograph pattern, because that combination is a classic phishing trick. So a visible "xn--" in the address bar is often the browser protecting you, not a bug.

What is the homograph / look-alike phishing risk?

Many scripts contain characters that render almost identically to Latin ones — Cyrillic "а" (U+0430) looks like Latin "a", Greek "ο" like "o". An attacker can register "аpple.com" (Cyrillic a) which encodes to a totally different "xn--..." host than the real "apple.com". Decoding a suspicious "xn--" domain here reveals the real Unicode underneath so you can spot the swap. If a link claims to be a brand but decodes to mixed-script Unicode, treat it as hostile.

Does this normalize the domain the way a registrar would?

No, and that is deliberate. Registrars apply UTS-46 / Nameprep first — lowercasing, Unicode NFC normalization, and rejecting disallowed characters — before Punycode encoding. This tool is a faithful round-trip codec: it encodes exactly what you type so you can see the raw mapping. If you are about to register a name, lowercase and NFC-normalize it yourself first, then encode.

Can I convert the domain part of an email address?

Yes. Paste a full address such as "user@münchen.de" and only the part after the last "@" is converted to "user@xn--mnchen-3ya.de". Internationalized email addressing (EAI / SMTPUTF8) sometimes still needs the domain in ACE form for legacy mail servers, so this saves you splitting the address by hand.

Register a Chinese-language domain and get the xn-- form for your DNS panel

You bought "中文.中国" from a registrar but your DNS host, CDN, and TLS certificate issuer all want the ASCII form. Workflow: paste "中文.中国" into the encode direction, read back "xn--fiq228c.xn--fiqs8s", and copy it into the A-record field, the CDN origin, and the SAN list of your certificate request. The per-label breakdown confirms that both the second-level label and the ".中国" TLD encoded separately, which is exactly what the registry expects — getting one label wrong silently breaks resolution with no error message.

Investigate a suspicious link that might be a homograph attack

A phishing email links to a host shown as "xn--pple-43d.com". You can't read it by eye. Paste it into the decode direction and it resolves to "аpple.com" — with a Cyrillic "а" (U+0430), not a Latin "a". That single decoded character is your proof the link impersonates Apple. Pair the decoded Unicode with the unicode-character-inspector to confirm the exact code point, then report or block the domain. Doing this in a 100% client-side tool means you never hand the attacker's URL to a third-party server.

Send mail to an internationalized domain through a legacy SMTP relay

Your application has to deliver to "support@почта.рф" but the downstream relay predates SMTPUTF8 and rejects non-ASCII domains. Paste the full address into the encode direction; only the domain converts, giving you "support@xn--80a1acny.xn--p1ai" with the local part untouched. Drop that into the envelope recipient and the legacy relay accepts it. The email-aware split saves you from manually slicing on the "@" and accidentally encoding the local part too.

Audit a multi-level internationalized hostname before deployment

Your staging host is "测试.shop.中文.com" and you need to know which labels become xn-- and which stay ASCII before you wire up wildcard certificates and CORS allow-lists. Paste it, turn on the per-label breakdown, and you see "测试 → xn--0zwm56d", "shop → shop", "中文 → xn--fiq228c", "com → com". Now you know the exact ASCII host your origin server, CORS policy, and HSTS preload entry must use — mixing the Unicode and ASCII forms across configs is a common source of "works in Chrome, fails in curl" bugs.

Convert a batch of internationalized domains for a config file

You're migrating a whitelist of fifty internationalized vanity domains into an nginx server_name list, which must be ASCII. Paste all fifty, one per line, into the encode direction and copy the xn-- column out in one shot. Each line converts independently, and a malformed entry shows an inline error rather than poisoning the whole batch — so you fix the one bad row instead of re-running the lot.

Punycode / IDN Converter — Unicode ⇄ xn--

Unicode ⇄ Punycode for internationalized domains — münchen.de ⇄ xn--mnchen-3ya.de — per-label, email-aware, browser-only

Runs locally
Category Encoding & Crypto
Best for Checking small payloads, tokens, hashes, and encoded values quickly.

Per-label breakdown

Input domain(s)

Result

Examples

Every conversion runs as plain JavaScript inside this tab — the RFC 3492 bootstring math never calls a server, so the domains you check (including ones not yet registered) are never logged or transmitted. The shareable link encodes your input in the URL query string, so avoid sharing a link that contains a confidential brand or internal hostname.

What this tool does

A bidirectional Punycode and IDN (internationalized domain name) converter that turns Unicode hostnames into their ASCII-Compatible Encoding and back. Type a domain like "münchen.de", "例え.jp", or "中文.中国" and watch each label that contains a non-ASCII character get encoded with the RFC 3492 bootstring algorithm and prefixed with "xn--": you get "xn--mnchen-3ya.de", "xn--r8jz45g.jp", "xn--fiq228c.xn--fiqs8s". Flip the direction and any "xn--" label is decoded straight back to the Unicode you started from. Pure-ASCII labels are never touched, so "shop.münchen.de" only rewrites the middle label. The tool is email-aware — paste "张三@邮箱.中国" and only the domain after the "@" is converted, the local part stays intact. A per-label breakdown shows exactly which segment maps to which xn-- form so you can audit a multi-level domain at a glance, and multi-line input lets you batch a whole list of hosts. The full RFC 3492 algorithm (bias adaptation, surrogate-pair handling for emoji and astral characters, overflow guards) is implemented from scratch and runs entirely in your browser tab — no network call, no logging of the domains you check, which matters when you are inspecting a host that isn't registered yet or a possible phishing lookalike.

Tool details

Input: Text; The page exposes text boxes, numeric controls, file pickers, or structured inputs depending on the tool.
Output: Live result + Copy; The result area focuses on usable output, with copy, download, or preview actions when supported.
Privacy: Browser-side processing; The main tool logic does not call an external API, so inputs normally stay in the current tab.
Save / share: Shareable URL state; Key settings are encoded in the URL so another person can reopen the same setup.
Performance budget: Initial JS <= 10 KB; No WASM budget is declared, keeping the tool quick to open on mobile.
Best fit: Encoding & Crypto · Developer; Category and role tags drive related tools, internal links, and quick fit checks.

How to use

1. Input

Paste or drop your content into the tool panel.
2. Process

Click the button. All processing is local in your browser.
3. Copy / Download

Copy the result or download to disk in one click.

How Punycode / IDN Converter fits into your work

Use it for quick browser-side encoding, decoding, hashing, token checks, and share-safe transformations.

Encoding jobs

Checking small payloads, tokens, hashes, and encoded values quickly.
Preparing values for APIs, URLs, docs, or support tickets.
Avoiding account-based tools when the input might be sensitive.

Encoding checks

Do not paste live secrets unless you are comfortable with local browser handling.
Confirm whether the operation is reversible before sharing the result.
For hashes, compare the exact algorithm and casing expected by the receiver.

Good next steps

These links move the current task into a more complete workflow.

Real-world use cases

Register a Chinese-language domain and get the xn-- form for your DNS panel
You bought "中文.中国" from a registrar but your DNS host, CDN, and TLS certificate issuer all want the ASCII form. Workflow: paste "中文.中国" into the encode direction, read back "xn--fiq228c.xn--fiqs8s", and copy it into the A-record field, the CDN origin, and the SAN list of your certificate request. The per-label breakdown confirms that both the second-level label and the ".中国" TLD encoded separately, which is exactly what the registry expects — getting one label wrong silently breaks resolution with no error message.
Investigate a suspicious link that might be a homograph attack
A phishing email links to a host shown as "xn--pple-43d.com". You can't read it by eye. Paste it into the decode direction and it resolves to "аpple.com" — with a Cyrillic "а" (U+0430), not a Latin "a". That single decoded character is your proof the link impersonates Apple. Pair the decoded Unicode with the unicode-character-inspector to confirm the exact code point, then report or block the domain. Doing this in a 100% client-side tool means you never hand the attacker's URL to a third-party server.
Send mail to an internationalized domain through a legacy SMTP relay
Your application has to deliver to "support@почта.рф" but the downstream relay predates SMTPUTF8 and rejects non-ASCII domains. Paste the full address into the encode direction; only the domain converts, giving you "support@xn--80a1acny.xn--p1ai" with the local part untouched. Drop that into the envelope recipient and the legacy relay accepts it. The email-aware split saves you from manually slicing on the "@" and accidentally encoding the local part too.
Audit a multi-level internationalized hostname before deployment
Your staging host is "测试.shop.中文.com" and you need to know which labels become xn-- and which stay ASCII before you wire up wildcard certificates and CORS allow-lists. Paste it, turn on the per-label breakdown, and you see "测试 → xn--0zwm56d", "shop → shop", "中文 → xn--fiq228c", "com → com". Now you know the exact ASCII host your origin server, CORS policy, and HSTS preload entry must use — mixing the Unicode and ASCII forms across configs is a common source of "works in Chrome, fails in curl" bugs.
Convert a batch of internationalized domains for a config file
You're migrating a whitelist of fifty internationalized vanity domains into an nginx server_name list, which must be ASCII. Paste all fifty, one per line, into the encode direction and copy the xn-- column out in one shot. Each line converts independently, and a malformed entry shows an inline error rather than poisoning the whole batch — so you fix the one bad row instead of re-running the lot.

Common pitfalls

Encoding the whole domain as one string. Punycode operates per label — you must split on "." and encode each label separately. Encoding "münchen.de" as a single chunk produces garbage; the dot is a label boundary, not a character to encode. This tool always splits on "." for you.
Forgetting that "xn--" is case-insensitive but the payload after it is not arbitrary. "xn--MNCHEN-3YA" and "xn--mnchen-3ya" decode the same (DNS is case-insensitive), but flipping a single payload character yields a different or invalid domain. Always round-trip through a real codec — never hand-edit the ACE string.
Skipping UTS-46 normalization before registration. Typing "MÜNCHEN.DE" and encoding it gives a technically valid but non-canonical result; registrars lowercase and NFC-normalize first, so you may end up with a different xn-- than the one actually registered. Normalize (lowercase + NFC) before you encode for any name you intend to register.

Privacy

The entire RFC 3492 codec — encode, decode, bias adaptation, surrogate-pair handling — is plain JavaScript that runs in your browser tab. No domain you type is ever sent to a server, no analytics record which hosts you converted, and there is no logging. That matters for this tool specifically: people paste suspected phishing domains and not-yet-registered names here, and neither should leak. The one caveat is the shareable link — it encodes your current input in the URL query string, so if you paste a "share" link containing a confidential brand domain or an internal hostname into chat or email, the destination server's access log will record it. For sensitive hosts, copy the result manually instead of sharing the URL.

FAQ

Tool combos

Folks in your role tend to reach for these alongside this tool.

Developer

Browse all tools for this role

Punycode / IDN Converter — Unicode ⇄ xn--

What this tool does

Tool details

How to use

1. Input

2. Process

3. Copy / Download

How Punycode / IDN Converter fits into your work

Encoding jobs

Encoding checks

Good next steps

Real-world use cases

Register a Chinese-language domain and get the xn-- form for your DNS panel

Investigate a suspicious link that might be a homograph attack

Send mail to an internationalized domain through a legacy SMTP relay

Audit a multi-level internationalized hostname before deployment

Convert a batch of internationalized domains for a config file

Common pitfalls

Privacy

FAQ

URL Encoder / Decoder

Unicode Character Inspector

Base32 / Base58 Encoder & Decoder

HTML Entities Encoder

Base64 Encoder & Decoder

AES Text Encryptor

Affine Cipher Encoder & Decoder

Atbash Cipher

Bacon Cipher Encoder & Decoder

Base62 Encoder & Decoder

Base64 Block Deduplicator

Base64 Block Extractor