Uniform Resource Locator (URL) Decoder
Decode percent-encoded URLs or text, inspect query pairs and character bytes, remove common trackers, and preview JSON, Base64, or QR handoffs.{{ decodedIsUrl ? 'Decoded URL' : 'Decoded Text' }}
Decode status
{{ mainOutput }}
| Key | Value | Copy |
|---|---|---|
| {{ p.key }} | {{ p.value }} | |
|
No query parameters
The decoded URL has no query pairs after the current cleanup settings.
|
||
| # | Char | Code point | UTF-8 | ASCII | Unreserved | Reserved | Copy |
|---|---|---|---|---|---|---|---|
| {{ r.idx }} | {{ r.charDisplay }} | {{ r.u }} | {{ r.utf8 }} | {{ r.isASCII ? 'Yes' : 'No' }} | {{ r.isUnreserved ? 'Yes' : 'No' }} | {{ r.isReserved ? 'Yes' : 'No' }} |
Links are built from pieces that have different jobs: a scheme, a host, a path, a query string, and sometimes a fragment. Percent-encoding lets data characters move through those pieces without being mistaken for separators too early. A space may travel as %20, a slash as %2F, a question mark as %3F, and a literal percent sign as %25.
Decoding a URL is useful when a copied link comes from an email redirect, QR code, browser log, analytics campaign, API response, or support ticket. The visible string may contain a second encoded URL inside a query value, or a search phrase may be encoded twice because the percent sign itself was encoded. That is why %2520 can become %20 after one pass and a space after a later pass.
The hard part is context. In form-encoded query data, a raw + usually means a space. In a path, token, or some Base64 text, the same plus sign may be literal data. Hostnames have their own rules too. A punycode name that starts with xn-- can be displayed as Unicode for human review, but visually similar characters can still make a destination misleading.
- Reserved characters
- Characters such as
/,?,#,&, and=can separate URL components once they are decoded. - Unreserved characters
- Letters, digits, hyphen, period, underscore, and tilde normally represent data and are safer to normalize for readability.
- Nested encoding
- An encoded percent sign can hide another escape sequence, which is why some strings need more than one careful pass.
A decoded URL is still only an inspection target. The final decision should come from checking the scheme, host, path, query values, fragment, and any embedded payload before the link is opened, shared, or treated as canonical.
How to Use This Tool:
Start with the copied value exactly as you found it. Decode just enough to see the destination and data, then apply cleanup choices only when they match the reason you are reviewing the link.
- Paste a full URL, encoded URL component, or encoded text into Text or URL. The result summary will identify the output as URL mode when it can be parsed as a URL, or Text mode when it remains plain decoded text.
- Leave Decode depth at
1for the first check. Increase it one pass at a time only when the output still contains visible nested escapes such as%25,%2F, or%3D.Too many passes can turn data characters into URL separators. If the result changes shape unexpectedly, lower the depth and compare against the original string. - Turn on Treat + as space for form-style query values. Leave it off for paths, tokens, and Base64-like strings where
+may be part of the original value. - Use the URL cleanup controls after the decoded destination looks right. Strip common trackers, Allow-list parameters, Block-list parameters, Remove empty parameters, and De-duplicate parameters decide which query pairs remain.
Allow-list filtering runs before block-list filtering, tracker removal, empty-value removal, duplicate handling, and sorting, so the cleanup count reflects that order.
- Apply host and path normalization only for comparison or handoff work. Lowercase host, Remove www., Remove default port, Collapse path slashes, Trim trailing slash, and Force scheme can change how a URL is serialized.
- Open Query Parameters to inspect surviving keys, Character Audit to check code points and UTF-8 bytes, and Decoded Payload when the output looks like JSON, standard Base64, or URL-safe Base64 text.
- Copy, download, create a QR handoff, or use Open URL only after the summary, query table, character rows, and payload preview match the interpretation you expect.
Open URL is available only for decoded
httporhttpsresults, and it contacts the destination site in a new tab.
Interpreting Results:
Readable output makes hidden separators, query values, Unicode characters, and embedded text easier to inspect. It does not certify that the link is safe, that the destination is intended, or that removed parameters were harmless.
| Signal | What it means | What to check next |
|---|---|---|
| URL mode | The decoded string parsed as an absolute URL or a host-like value. | Verify scheme, host, path, query, fragment, and any userinfo before opening or sharing. |
| Text mode | The decoded string did not parse as a URL. | Use the character and payload views instead of assuming the value is broken. |
| Cleaned | One or more query pairs, duplicate keys, empty values, fragments, or normalizable URL parts were changed. | Compare the cleaned URL with the original before relying on it as a replacement. |
| Decoded Payload | JSON or readable Base64-derived text was detected. | Treat it as inspection help, not decryption, signature validation, or sender proof. |
The most important comparison is not encoded versus readable. It is original intent versus decoded structure. A link can lose tracking noise and still point to the wrong host, keep sensitive query values, or reveal a nested redirect that should not be opened.
Technical Details:
Percent-encoding represents one octet as %HH, where HH is a two-digit hexadecimal value. Decoding an unreserved character such as %7E into ~ usually preserves the same resource identity. Decoding a reserved character is different because the resulting character can become syntax.
URL decoding is therefore safer when it follows a review order: decode one layer, parse only when the text is URL-shaped, inspect component boundaries, then apply optional normalization. Query-string parsing has its own form-encoding rule where raw plus signs become spaces, while path and token text do not automatically follow that rule.
Transformation Core:
| Stage | Rule | Review consequence |
|---|---|---|
| Percent pass | Each selected pass resolves percent escapes when possible, with a limit of 1 to 12 passes. | Nested escapes can be revealed gradually instead of decoded blindly. |
| Plus handling | When enabled, raw + signs are converted to spaces before percent-decoding. |
Useful for form-encoded query values, but wrong for literal plus signs in many tokens. |
| Unicode normalization | No change is the default; NFC and NFKC are available for decoded text comparison. |
Normalization can help compare visually similar text, but it should not replace domain-name caution. |
| URL recognition | A decoded value is treated as a URL when it parses with a scheme, or when a scheme-less host-like value can be parsed for review. | Plain text skips URL cleanup and remains available for character and payload inspection. |
| Payload detection | The final decoded text is checked for JSON, standard Base64, and URL-safe Base64 that decodes to readable text. | Payload preview explains embedded data without proving authenticity or safety. |
Characters That Can Change Structure:
| Encoded form | Decoded form | Common effect |
|---|---|---|
%2F |
/ |
Can split one path segment into multiple path segments. |
%3F |
? |
Can begin a query string after the path. |
%23 |
# |
Can move following text into the fragment. |
%26 |
& |
Can split query pairs when the value is parsed again. |
%3D |
= |
Can separate a query name from a value. |
%2B |
+ |
May be literal data, unlike a raw plus sign in form-encoded input. |
Query Cleanup Order:
| Order | Operation | Detail |
|---|---|---|
| 1 | Allow-list | Keeps only named query keys when the allow-list is not empty. |
| 2 | Block-list | Removes named query keys after allow-list filtering. |
| 3 | Tracker removal | Targets utm_*, gclid, fbclid, msclkid, mc_cid, mc_eid, mkt_tok, ref, and similar campaign identifiers. |
| 4 | Empty values | Removes pairs whose value is empty, such as ref= or flag=, when selected. |
| 5 | Duplicate keys | Keeps all, keeps the first occurrence, or keeps the last occurrence using case-insensitive key comparison. |
| 6 | Sorting | Sorts by lowercase key and then lowercase value when selected. |
Rebuilt query strings are percent-encoded again so visible spaces, reserved characters, and non-ASCII text are serialized safely. Hostname display can be converted from punycode to Unicode for review, but the rest of the decoded output and exportable evidence should still be checked against the original value.
Privacy Notes:
Decoding, URL parsing, query cleanup, character auditing, payload preview, and QR generation run in the current browser session after the page loads. The value is not fetched just because it was decoded.
- Do not paste password reset links, session URLs, bearer tokens, private redirects, or customer identifiers into a shared browser session.
- Opening a decoded URL leaves the page and contacts the destination site in a new tab.
- Copy, download, DOCX, CSV, JSON, and QR outputs can preserve sensitive decoded values, so treat exported artifacts as data-bearing records.
- Tracker stripping removes known query-key patterns, not every possible analytics system or sensitive parameter.
Worked Examples:
Nested campaign link
The value https%3A%2F%2Fexample.com%2Fsearch%3Fq%3Dtea%2520kettle%26utm_source%3Dnewsletter first reveals a scheme, host, search path, q parameter, and utm_source parameter. A second pass reveals the space in tea kettle. With Strip common trackers enabled, the campaign key is removed and the cleaned URL keeps the search query.
Form value with plus signs
name=Rina+Tan&city=Kuala+Lumpur should use Treat + as space when it came from form-encoded query data. The same setting would be risky for a token such as abc+123, where the plus sign may be part of the value.
Repeated parameters
A URL ending in ?id=7&id=9&lang=en&fbclid=abc can be reviewed by enabling Strip common trackers and setting De-duplicate parameters to Keep last. The query table should keep id=9 and lang=en, while the cleanup count reflects the removed duplicate and tracker parameter.
Payload inspection
If a decoded value is a JSON object or Base64url text that decodes into readable JSON, Decoded Payload appears. Use that preview to inspect the embedded data before deciding whether the main output is a destination URL, a redirect parameter, or ordinary text.
FAQ:
Why does one pass still leave percent signs?
Nested encoding often starts with an encoded percent sign. For example, %252F becomes %2F after one pass and / after another pass. Increase Decode depth one step at a time.
Should every plus sign become a space?
No. Use Treat + as space for form-style query values. Leave it off for paths, tokens, and Base64-like strings where a plus sign can be literal data.
Does removing trackers make a URL safe?
No. Strip common trackers removes known campaign and click identifiers, but it does not verify the host, scan the destination, detect every tracking pattern, or remove every sensitive value.
Why did the query table disappear?
The decoded output may no longer parse as a URL, or the cleanup settings may have removed every query pair. Check URL mode versus Text mode, then review depth, filters, duplicate handling, and empty-parameter removal.
Can an internationalized hostname be trusted after conversion?
No. Unicode display helps human review, but it can also expose visually similar characters. Compare the visible host, the punycode form, and the surrounding context before opening or sharing the URL.
Glossary:
- Percent-encoding
- A URL encoding method where a percent sign plus two hexadecimal digits represents one byte.
- Reserved character
- A character that can separate URL components or subcomponents when decoded.
- Query parameter
- A name-value pair in the query string, usually after
?and separated from other pairs by&. - IDN
- An internationalized domain name that may appear as a punycode A-label or a Unicode display name.
- Base64url
- A URL-safe Base64 variant that commonly uses
-and_instead of+and/.
References:
- RFC 3986: Uniform Resource Identifier (URI): Generic Syntax, RFC Editor, January 2005.
- URL Standard, WHATWG.
- URLSearchParams, MDN Web Docs.
- Percent-encoding, MDN Web Docs.