Percent-Encoded

Decoded Text

What is the URL Decoder?

Paste a percent-encoded string into the left panel and the right panel shows the original. Under the hood it runs decodeURIComponent, which walks each %XX sequence in the input, treats those hex pairs as UTF-8 bytes, and rebuilds the original characters. So %20 becomes a space, %26 becomes &, %E2%9C%85 becomes a check mark. The reverse direction lives at the URL Encoder.

Why is decoding tricky? Because not every % in the wild is part of a valid percent-encoded sequence. A lone % followed by non-hex characters (%G1, % at end of string) is malformed and the decoder will throw a URIError: URI malformed. This page catches that and shows a friendly "Invalid encoding" message instead of a stack trace, so a corrupt paste does not break the page. The exact rules for what counts as valid live in RFC 3986 §2.1 and the WHATWG URL Standard.

Watch out for double-encoding. If you decode a string and the output STILL contains % characters (e.g. you got back Ava%2520Chen instead of Ava Chen), the value was encoded twice somewhere along the chain — usually a proxy or a framework that auto-encoded an already-encoded value. Decoding again will get you the rest of the way. Wikipedia's notes on double encoding have a good walkthrough of how this happens. Everything runs in your browser. No upload, no server, no logs.

How to Use the URL Decoder

Three steps. The page updates as you type — no Convert button.

Paste your encoded string or click Sample

Drop a percent-encoded string into the left panel. Click Sample to load a realistic example. Example input:

Ava%20Chen%20%26%20friends%3F%20customer%40shop.com%20%20100%25%20off!

Malformed input (a lone <code>%</code>, an invalid hex pair like <code>%G1</code>) will surface as an "Invalid encoding" message in the output panel — see the <a href="https://tc39.es/ecma262/#sec-decodeuricomponent-encodeduricomponent" target="_blank" rel="noopener">ECMAScript spec for decodeURIComponent</a> for the exact failure rules.

Read the decoded output

The right panel shows the decoded text. %20 becomes a space, %26 becomes &, %3F becomes ?, %40 becomes @, %25 becomes %. Updates as you type.

Copy or download

Click Copy to put the decoded text on your clipboard, or Download to save it as a .txt file. Use Clear on the input panel to start over. To go the other way, hop over to the URL Encoder.

When You'd Actually Use This

Reading what is actually in a query parameter

A URL like ?customer=Ava%20Chen&tag%5B0%5D=red is hard to scan with the percent codes still in place. Paste a single value here and you get Ava Chen or tag[0] back, which makes it obvious whether the parameter is what you expected. For breaking down a whole URL, the URL Parser does query parameters automatically.

Debugging double-encoded values

You paste Ava%2520Chen, decode once, get Ava%20Chen. That extra layer is the smoking gun — somewhere a proxy, framework, or library encoded the value a second time. Decode again to get the real string. OAuth specs are a common offender because redirect_uri values often pass through layers that each helpfully encode them again.

Inspecting webhook and analytics URLs from logs

When something fails in production, the URL in the access log is usually fully encoded — %7B%22event%22%3A%22signup%22%7D instead of the JSON the webhook actually sent. Paste it here and you get back {"event":"signup"}, which is something you can read.

Decoding a magic link or password reset URL

When a customer like Marco Rivera says "the reset link is broken", the link contains a token, an email, and a redirect target — all percent-encoded. Decoding the suspicious parameter shows whether the email is the right address, the token survived an email-client mangling, or the redirect URI got truncated.

Common Questions

What happens with malformed input like a lone % or %G1?

The native decodeURIComponent throws a URIError: URI malformed on a sequence that is not a valid %XX hex pair. This page catches that and writes "Invalid encoding: ..." into the output panel instead of crashing. The most common causes are a stray literal % that should have been %25, or a copy-paste that lost a trailing hex digit.

How do I tell if my input is double-encoded?

Decode once. If the output still has % characters in it (especially %20, %2F, %3A) and was supposed to be plain text, it was encoded twice. Decode the output of the first decode. Three rounds is rare but possible — usually means a chain of three different services each encoded the same value.

What about + signs — should they decode to spaces?

Not with decodeURIComponent — it leaves + alone. The +-as-space convention belongs to application/x-www-form-urlencoded (HTML form submissions), not general URL percent-encoding. If your input came from a form body and has + for spaces, run .replace(/\+/g, "%20") first, then decode. The WHATWG spec for application/x-www-form-urlencoded describes this two-flavour situation.

Does it round-trip Unicode and emoji correctly?

Yes. Percent-encoded multi-byte UTF-8 sequences (e.g. %E2%9C%85 for a check mark, %F0%9F%9A%80 for a rocket) decode straight back to the original characters. The only way this fails is if the encoder used a non-UTF-8 charset, which modern systems do not do.

Is the input I paste here sent anywhere?

No. Decoding runs entirely in your browser. There is no network call, no server log, nothing leaves your machine. Tokens, emails, signed URLs — all safe to paste.

How big a string can I decode here?

There is a 256 KB cap on the input. If you have hundreds of KB of percent-encoded text, you almost certainly have a payload that should be decoded server-side rather than pasted into a tool — encoded payloads that big usually indicate a misuse of URL encoding for a job that wants base64 or a request body.

Other URL & Encoding Tools

Decoding is one operation. Here's what else pairs naturally with it: