URL Decode Online — Free URL Decoder

Reverse percent-encoding back to original characters. Decode %20, %26, and any %XX sequence — instantly, 100% in your browser.

Input (percent-encoded)

Output (decoded)

What is URL Decoding?

URL decoding is the inverse of percent-encoding. It scans for %XX sequences (a percent followed by two hexadecimal digits), converts each to its byte value, and assembles the bytes as UTF-8. The result is the original string that was encoded — restoring spaces, ampersands, accented letters, and any other byte that was escaped for safe URL transport.

Use this tool to read percent-encoded values from server access logs, OAuth callback URIs, browser history, analytics events, or anywhere a URL has captured user input. It runs entirely in your browser using decodeURIComponent.

How to URL decode online — 4 steps

Paste the encoded value. The Input panel accepts any percent-encoded string — a query parameter, a full URL, or a copied log line.
Click Decode. The tool runs decodeURIComponent client-side and reconstructs the original UTF-8 string.
Inspect the output. Spaces, ampersands, and Unicode characters are now visible in their original form.
Decode twice if needed. If %XX sequences remain in the output, the value was double-encoded — paste the result back and decode once more.

Side-by-side example

Encoded input

hello%20world%20%26%20friends
search%3Fq%3Dcaf%C3%A9
%7B%22id%22%3A42%7D

Decoded

hello world & friends
search?q=café
{"id":42}

Full Percent Decoding

Converts every %XX sequence back to its original byte, including multi-byte UTF-8 sequences for emoji, CJK, and accented Latin characters.

Malformed Detection

Surfaces a clear error when a percent sign is not followed by two valid hex digits — a frequent symptom of truncated or double-encoded values.

Client-Side Only

Decoding runs in JavaScript inside your browser. Tokens, sensitive query parameters, and PII never leave the page.

Common use cases

check_circleReading percent-encoded query parameters from server access logs (NGINX, Apache, ALB)
check_circleDecoding OAuth redirect URIs to inspect state, scope, and code values
check_circleInspecting analytics or tracking pixel URLs to see captured user input
check_circleRecovering original file names from Content-Disposition headers
check_circleReading browser history or bookmark URLs that contain encoded data
check_circleDecoding webhook callback parameters from third-party services
check_circleInspecting URL-encoded form submissions in DevTools or Wireshark
check_circleExtracting search queries and filters from referrer URLs

decodeURI vs decodeURIComponent

JavaScript has two decoders. decodeURI leaves structural URL delimiters encoded (it will not turn %23 back into # or %2F back into /) so the resulting string remains a valid URL. decodeURIComponent decodes everything. For reading log values, query parameters, or any single component, use decodeURIComponent — which is what this tool calls. If you specifically need to display a full URL with delimiters intact, use decodeURI instead.

Need to encode instead?

Percent-encode a value for safe URL transport, or chain with our other escape tools — all browser-side.

URL Encode JSON URL Decode All Escape Tools

Frequently Asked Questions

What does URL decoding do?

URL decoding scans the input for percent-encoded sequences (%XX where XX is two hex digits), converts each pair to a single byte, and assembles the bytes as a UTF-8 string. The result is the original characters that were encoded — spaces from %20, ampersands from %26, accented letters from multi-byte %C3%A9, and so on.

Should I paste the entire URL or just the query value?

Paste the part you want decoded. If you paste a whole URL, the structural delimiters that were never encoded (like : / ? &) come through unchanged, and only the encoded portions get decoded — that is usually what you want when reading a URL from a log. If you only need one parameter value, copy the part after the equals sign.

Why does decoding sometimes fail with URIError?

decodeURIComponent throws a URIError when it encounters a malformed sequence — a bare % not followed by two hex digits, or %XY where XY is not a valid byte for the current UTF-8 state. This usually means the value was double-decoded somewhere, was truncated, or used a non-standard encoding. Inspect the raw bytes around the offending position.

Does this decode + as a space?

No. decodeURIComponent treats + as a literal plus sign, which is correct per RFC 3986. The + as space rule belongs to application/x-www-form-urlencoded — it applies only to form bodies and the query component on some servers. If your input came from a form, replace + with space first, then decode the rest.

How are emoji and non-Latin characters reconstructed?

The decoder consumes percent sequences as bytes and parses them as UTF-8. So %F0%9F%9A%80 becomes the four-byte UTF-8 encoding of the rocket emoji, and %E4%BD%A0 becomes 你. As long as the original encoder used UTF-8 (which encodeURIComponent always does), every Unicode character round-trips perfectly.

What is double encoding and how do I unwind it?

Double encoding happens when a value is encoded twice — every original % becomes %25, so a real %20 turns into %2520. To unwind, run the decoder twice: the first pass converts %2520 to %20, the second converts %20 to a space. If you decode once and still see %XX in the output, that is the signal to decode again.

Is decoding safe — could it inject characters into my page?

Decoding produces a plain string. It cannot execute code. The risk only appears when you take that decoded string and inject it into HTML, SQL, or a shell command without escaping. Decode for display or analysis, then re-escape for whichever context you put it back into.

Does this tool send my URL to a server?

No. Decoding runs in JavaScript inside your browser. Open DevTools → Network and click Run — no requests are made. Safe for tokens, signed URLs, or any sensitive percent-encoded data.