| Key | Value | Copy |
|---|---|---|
| {{ row.key }} | {{ row.value }} |
| # | Char | Code point | UTF-8 bytes | ASCII | Unreserved | Reserved | Copy |
|---|---|---|---|---|---|---|---|
| {{ row.idx }} | {{ row.charDisplay }} | {{ row.u }} | {{ row.utf8 }} | {{ row.isASCII ? 'Yes' : 'No' }} | {{ row.isUnreserved ? 'Yes' : 'No' }} | {{ row.isReserved ? 'Yes' : 'No' }} |
URLs hide a surprising amount of meaning inside percent escapes, query parameters, fragments, and encoded payloads. That is helpful for transport, but it also makes copied links harder to judge at a glance. This tool decodes and normalizes URL-like text so you can inspect what a string actually contains before you reuse it, export it, or open it.
The workflow combines two jobs that often belong together. First, it reveals characters and values that were obscured by encoding or repeated redirects. Then it reserializes the cleaned result so the output is still usable as a link or text fragment after you remove trackers, trim noise, or normalize host and path details. That makes the bundle more of an inspection workbench than a one-way encoder.
It is practical for support tickets, campaign links, callback parameters, and suspicious snippets copied from logs or messages. A twice-encoded path such as %252F can be walked back into readable text, and a crowded query string can be reduced to the parameters that still matter. If the final result behaves like a URL, you get URL-focused views. If it remains plain text, the character and payload views still help.
Internationalized hostnames and structured payloads are where many quick inspections go wrong. A hostname may be easier to read in Unicode than in ASCII label form, and a parameter value may turn out to be JSON or Base64 text rather than an ordinary string. The workbench surfaces those cases explicitly so you do not have to guess what kind of data you are looking at.
Better visibility is not the same as trust. A cleaned link can still point somewhere unsafe, and a decoded payload can still contain sensitive or misleading content. Use the output to review destination, structure, and parameters more clearly, not to assume that the link has somehow been certified as safe.
The tool accepts a full URL, a scheme-less host and path, or plain text. As soon as input is present, the summary header shows the transformed result and flags whether the current output is being treated as a URL or as a generic component string. When URL parsing succeeds, you also get the visible origin and pathname, the current host, a query-parameter count, a payload badge when structured content is detected, and the final character length.
Each result pane answers a different question. Parameter Ledger is for keys and values after cleanup. Character Audit is for individual characters, code points, UTF-8 bytes, and RFC 3986 reserved or unreserved status. Payload Lens is for strings that turn out to contain JSON or Base64 text. QR Handoff is for copying or packaging the final result as a scannable code. JSON gives you a structured record of both inputs and outputs so the transformation can be saved and reviewed later.
The cleanup controls matter because some are cosmetic and some can change behavior. Lowercasing a host or normalizing percent-escape case usually helps comparison without changing intent. Removing empty parameters, keeping only the first or last repeated key, or stripping embedded credentials can change what a downstream application receives. That makes the workbench useful not just for beautifying a link, but for making deliberate decisions about what should remain in it.
| Pane | What it focuses on | Typical use |
|---|---|---|
| Parameter Ledger | Post-cleanup query keys and values. | Reviewing trackers, duplicates, or empty parameters before sharing a link. |
| Character Audit | Character-by-character view with code points and UTF-8 bytes. | Checking whether a suspicious glyph is a delimiter, space, or non-ASCII character. |
| Payload Lens | Structured content detected inside the final result or common parameter names. | Confirming whether a token or query value is JSON or Base64 text. |
| QR Handoff | A QR rendering of the final output when it is short enough. | Passing a cleaned result to another device without retyping it. |
Decoding is iterative rather than single pass. The workbench starts with the input string, optionally converts plus signs into spaces for form-style decoding, and then runs percent-decoding again and again until the text stops changing or the configured depth is reached. If decoding fails because the escape sequences are malformed, the routine returns control without inventing a half-decoded result. That keeps inspection conservative when the source string is already damaged.
URL recognition comes next. Full URLs are parsed directly. If the text has no scheme but looks like a hostname plus optional path or query, the parser temporarily assumes an HTTPS base so it can reason about host, path, and parameters. The important detail is that this temporary assumption is for parsing only. When the original input did not carry a scheme, the final rebuilt output is written back without inventing one.
Once parsing succeeds, normalization is applied in a stable order. Scheme forcing happens first. Hostnames are then converted from ASCII label form into Unicode when possible, embedded user information can be stripped, and a fixed set of common tracker parameters can be removed. After that the tool can remove empty query values, deduplicate repeated keys by keeping the first, last, or unique values, and sort the survivors by key and then by value. Fragment removal, dot-segment cleanup, repeated-slash collapsing, host lowercasing, www. removal, trailing-slash trimming, default-port removal, and percent-escape case normalization finish the pipeline.
The query cleanup rules are deliberately mechanical. Tracker removal uses a built-in pattern list rather than a remote reputation source. Duplicate cleanup operates on the query string that exists after tracker stripping and empty-value removal. Sorting improves visual comparison but may change the visible order from the original link. These choices make the output repeatable for the same input and options, which is useful when you are comparing two links that should resolve to the same destination.
Character Audit is built from the final transformed output rather than the raw input. Each row records the position, display glyph, Unicode code point, UTF-8 byte sequence, and whether the character is ASCII, unreserved, or reserved under RFC 3986 terminology. Payload Lens first looks for common parameter names such as data, payload, json, q, body, and token. If those do not produce a structured result, it checks the whole output for Base64 or JSON content. QR generation is offered only when the final string is short enough, and the JSON export records the chosen options alongside the transformed result.
All of this happens in the browser session. Copy actions use local clipboard APIs, downloads are generated locally as CSV, DOCX, JSON, text, or PNG, and the Open action is enabled only when the final result parses as an http or https URL. That last point is a transport check, not a trust check.
If the Open button becomes available, use it only after you have read the visible destination. The button reflects URL shape, not destination quality.
URL mode means the current output parsed as a URL after transformation. In that case the host badge, parameter count, and Parameter Ledger are usually the most important parts of the result. Component mode means the final text stayed outside URL parsing, so Character Audit and Payload Lens carry more of the workload.
A parameter count of zero does not always mean the original string lacked a query. It can also mean tracker stripping, empty-value removal, or deduplication left no surviving entries. Likewise, a shorter output is not always a safer one. The workbench may have removed a fragment, user information, or a default port, but that only tells you what changed, not whether the destination is acceptable.
Payload detection should be read as a clue, not as a promise about meaning. If the payload view reports JSON, it means the detected text parsed as a JSON object or array. If it reports Base64 text, it means the bytes could be decoded into readable text. Either outcome helps inspection, but neither one says the content is harmless or authoritative.
Duplicate strategy is one of the few settings that can materially change application behavior. Keeping the first value, the last value, or only unique values can produce visibly similar links that a server interprets differently. When the link is part of an authentication or callback flow, compare the cleaned result against the original before forwarding it.
A campaign link copied from a newsletter might include visible percent escapes, several utm_ parameters, an fbclid, and a fragment. Turning on tracker stripping, fragment removal, and query sorting produces a shorter result that is easier to compare and share. Parameter Ledger then confirms exactly which key-value pairs remain.
A support ticket might contain a redirect target where one pass changes %252F into %2F and a second pass turns it into /. Raising decode depth makes the hidden path visible, while Character Audit shows whether any odd punctuation or non-ASCII symbols remain in the final string.
In another case, a parameter named payload might look like random text until Payload Lens reveals that it is Base64-encoded JSON. You can then copy or download the decoded payload for inspection without manually decoding the token elsewhere.
Because plus-to-space conversion is optional. It matches form-style decoding rules, but a literal plus sign can also be valid data, so the workbench does not force that interpretation unless you ask for it.
The workbench converts internationalized domain labels into readable Unicode when that conversion succeeds. That helps inspection, but it does not verify ownership or protect against look-alike domains.
Either the final output is not a URL, the original query was empty, or the cleanup options removed every surviving parameter. Compare the cleaned string with the original before assuming something went wrong.
The button is enabled only when the final result parses as an http or https URL. Plain text, other schemes, or malformed output stay inspectable but are not opened.
No. Cleaning improves readability and can remove obvious noise such as trackers or embedded credentials, but it does not authenticate the destination or evaluate what the site will do.
#, often used for in-page or client-side state.