A URL packed with %20s and %3Ds is precise for machines and unreadable for people. This tool decodes that percent-encoded text back into its original, human-readable form.
Undoing an encoding built for structural safety, not obfuscation
Percent-encoding exists purely to let URLs safely carry data that would otherwise conflict with the URL syntax's own reserved characters — it's not intended as any form of security or obfuscation, and decoding it back to readable text requires no special knowledge beyond the publicly documented encoding rules defined in RFC 3986. Anyone who has copied a URL from a browser's address bar and noticed a long string of percent signs and hex digits where a search term or filename should be has run into exactly the situation this tool reverses.
How decoding works
The tool scans your input for percent-encoded sequences (a % followed by two hexadecimal digits), converts each sequence back into its corresponding byte value, and reassembles those bytes — decoding any multi-byte UTF-8 sequences back into their original non-ASCII characters — while leaving any characters that were never encoded (regular letters, digits, and the URL-safe punctuation) unchanged.
Where decoding URLs is genuinely useful
- Reading query parameters in server logs — web server access logs record the raw, encoded URL exactly as requested, and decoding it makes search terms, filenames or other user-submitted data readable for debugging or analytics review.
- Debugging broken links or redirects — understanding exactly what data a malformed or unexpectedly encoded URL actually contains is often the fastest way to diagnose why a link or redirect isn't behaving as expected.
- Extracting readable data from a shared or copied URL — links copied from search engines, social media or email often contain heavily encoded tracking parameters or search terms that are far easier to review once decoded.
- Security review and log analysis — security analysts frequently need to decode URL-encoded data in access logs or intercepted requests to understand exactly what was being submitted, including potentially malicious payloads.
Frequently asked questions
Is decoding a URL a security risk? No — decoding simply reveals what a URL already contains in a more readable form; it doesn't execute anything or grant any additional access, though the decoded content itself (if it came from an untrusted source) should still be handled carefully before being used elsewhere, like in a database query or displayed on a page.
Why does a + sometimes decode to a space and sometimes stay literal? Context matters — within a URL's query string, a + conventionally represents an encoded space (a legacy convention from HTML form submissions), while outside the query string, or in some stricter decoding contexts, a literal + character is left as-is, which is why URL decoding tools sometimes offer both interpretations.
Can decoding fail or produce garbled text? Yes, if the input contains malformed percent-encoding (like a stray % not followed by valid hex digits) or if multi-byte UTF-8 sequences were encoded incorrectly or incompletely, in which case the decoder either reports an error or, depending on implementation, produces replacement characters for the unparseable portion.
Further reading
RFC 3986 — Uniform Resource Identifier (URI): Generic Syntax — The standard defining exactly how percent-encoded sequences should be interpreted.
MDN — Percent-encoding — Reference for decoding behavior and edge cases in URL-encoded data.