URL Decoder

Decode percent-encoded URLs and query strings back to readable text.

Encoded URL Input

Decoded Output

Hello World! Special chars: @#$%^&*()

Common Encoded Characters

%20 = Space
%21 = !
%40 = @
%23 = #
%24 = $
%26 = &
%2B = +
%3D = =

Tip: Use decodeURIComponent for query parameters and decodeURI for complete URLs where you want to preserve the URL structure characters.

What Is URL Decoding?

URL decoding, also called percent-decoding, is the process of converting a percent-encoded string back into its original, human-readable characters. When data is transmitted over the internet via URLs, special characters such as spaces, ampersands, question marks, and non-ASCII letters must be encoded to comply with the URI specification defined in RFC 3986. This encoding replaces each unsafe or reserved character with a percent sign followed by a two-digit hexadecimal number representing the character's byte value in UTF-8.

For example, a space character is encoded as %20, an at-sign becomes %40, and a hash becomes %23. The URL decoder reverses this transformation: it scans the encoded string for every percent-sequence and substitutes the corresponding character. This is essential when you receive a URL from a form submission, an API response, a browser address bar, or a server log and need to read the actual content inside it.

There are two standard JavaScript functions used for URL decoding: decodeURIComponent and decodeURI. The key difference is in what they leave untouched. decodeURIComponent decodes every percent-encoded sequence, including characters that are reserved in a URI such as /, ?, #, &, and =. This makes it the right choice for decoding individual query parameter values or path segments. decodeURI decodes everything except the characters that have special structural meaning in a full URI, preserving the integrity of the URL's scheme, host, path separators, and query delimiters. Choose decodeURI when you want to display a complete URL in a readable form without breaking its structure.

Understanding when to apply each decoding mode prevents common bugs such as splitting a query string on an ampersand that should have remained encoded, or losing path separators inside a file name. This online URL decoder calculator lets you switch between both modes instantly so you can verify decoded output before using it in your application.

How URL Percent-Encoding Works

Percent-encoding was standardized in RFC 3986 (Uniform Resource Identifiers) and earlier in RFC 2396. The mechanism is straightforward: every character that is not an unreserved character — meaning it is not a letter (A–Z, a–z), digit (0–9), hyphen, underscore, period, or tilde — may be percent-encoded. To encode a character, the browser or application takes its UTF-8 byte representation, converts each byte to uppercase hexadecimal, and prepends a percent sign.

For multi-byte characters (most non-Latin scripts, emoji, and many symbols), each byte in the UTF-8 sequence receives its own percent-encoded triplet. The Japanese character (U+65E5) encodes to %E6%97%A5 in UTF-8 — three bytes, three percent-triplets. Decoding reverses exactly this: the percent-encoded triplets are assembled back into bytes, then interpreted as UTF-8 to reconstruct the original Unicode character.

Reserved characters have special roles in URI syntax. The characters : / ? # [ ] @ ! $ & ' ( ) * + , ; = are reserved and should only be percent-encoded when they appear as data inside a component, not when they serve their structural role. decodeURIComponent decodes all of these; decodeURI leaves the ones that carry structural meaning intact.

A common misconception is that + means a space everywhere in a URL. In application/x-www-form-urlencoded (HTML form data), a plus sign does represent a space, but in general percent-encoding it does not — a space is encoded as %20. Neither JavaScript decoding function converts + to a space automatically. If you are decoding HTML form data that uses + for spaces, you must replace + with %20 before decoding, or handle the substitution separately.

URL Decoding Logic

output = decodeURIComponent(input) OR output = decodeURI(input)

Where:

  • input= Percent-encoded string (e.g., Hello%20World%21)
  • decodeURIComponent= Decodes all percent-encoded sequences including reserved URI characters
  • decodeURI= Decodes all percent-encoded sequences EXCEPT structural URI characters (: / ? # [ ] @ ! $ & ' ( ) * + , ; =)
  • output= Human-readable decoded string

decodeURI vs decodeURIComponent: Which to Use?

Choosing the correct decoding function is one of the most important decisions when working with URLs in JavaScript. Using the wrong one can silently corrupt data or throw a runtime error.

Use decodeURIComponent when you are decoding a component of a URL — that is, a single query parameter value, a path segment, a fragment, or any piece of data that appears inside the URL rather than forming the URL's own structure. For example, if a URL contains ?search=hello%20world%26more and you extract the value hello%20world%26more, you should call decodeURIComponent on it to get hello world&more. If you used decodeURI instead, the %26 would remain encoded.

Use decodeURI when you want to display a complete URL to a user in a human-friendly form without altering its navigability. A URL like https://example.com/path%20with%20spaces?q=test%3Dvalue decoded with decodeURI becomes https://example.com/path with spaces?q=test%3Dvalue — the space in the path is decoded, but %3D (an equals sign inside a query value) is left encoded because = is a reserved delimiter character.

If the encoded input contains an invalid percent sequence — such as a lone % not followed by two hex digits, or a malformed multi-byte UTF-8 sequence — both functions throw a URIError. This tool catches that error and displays the message so you know which part of your input is malformed.

Function Decodes Leaves encoded Best for
decodeURIComponent Everything Nothing Individual query values, path segments
decodeURI Non-reserved characters : / ? # [ ] @ ! $ & ' ( ) * + , ; = Full URLs for display

Common Percent-Encoded Characters Reference

When debugging encoded URLs or writing code that constructs and parses URLs manually, it helps to know the most frequently encountered percent-encoded sequences at a glance. The table below lists the characters you will see most often in query strings, form submissions, and API endpoints.

Encoded Character Name / Notes
%20spaceMost common in path segments
%21!Exclamation mark
%22"Double quote
%23#Hash / fragment identifier
%24$Dollar sign
%25%Percent sign itself
%26&Ampersand / query delimiter
%27'Single quote / apostrophe
%2B+Plus sign (not a space in RFC 3986)
%2F/Forward slash / path separator
%3A:Colon / scheme separator
%3D=Equals sign / key-value separator
%3F?Question mark / query start
%40@At sign
%5B[Left square bracket
%5D]Right square bracket

Knowing these mappings lets you quickly spot what a percent-sequence represents without running it through a decoder first, which is especially useful when reading server access logs or debugging network requests in browser DevTools.

Practical Use Cases for URL Decoding

URL decoding is not just a developer curiosity — it is a daily task for anyone who works with web data. Here are the most common real-world scenarios where an online URL decoder calculator saves time and prevents errors.

Debugging API requests: REST APIs often receive and return URLs or redirect targets inside JSON payloads. When an API error message contains a percent-encoded URL, pasting it into a URL decoder immediately reveals the actual target, helping you trace where a redirect chain went wrong.

Reading email marketing links: Email campaign links are heavily encoded with tracking parameters. The raw link in an email source can look like https://click.example.com%2Fcampaign%3Fid%3D12345%26source%3Dnewsletter. Decoding it shows you the real destination and all tracking parameters in plain text.

Parsing server logs: Web server access logs (Apache, Nginx) record the raw request URI, which includes percent-encoded paths and query strings. Decoding these entries makes it practical to read log files and understand what pages and parameters were actually requested.

Working with OAuth and SSO: OAuth 2.0 and SAML flows pass encoded tokens, redirect URIs, and state parameters in query strings. Decoding these values is essential for debugging authentication failures or inspecting the claims inside a redirect.

Handling internationalized content: URLs containing non-ASCII characters — such as search queries in Chinese, Arabic, or accented European languages — are transmitted as percent-encoded UTF-8. A URL decoder renders them back into legible text so you can verify that the correct content is being requested.

Form data analysis: HTML forms submitted with method="GET" append field values as percent-encoded query parameters. Decoding the query string lets you read the exact user input that was submitted, which is invaluable for QA testing and analytics validation.

URL Encoding and Security Considerations

URL encoding and decoding intersect with web security in important ways. Understanding these relationships helps developers avoid vulnerabilities and recognize attack patterns.

Double encoding: An attacker may encode a character twice — for example, encoding the percent sign itself so that %2F (a slash) becomes %252F. If a server decodes the URL once, it sees %2F (still encoded) and may pass it through security checks. A second decode then produces the slash. Web application firewalls and input validators must normalize URLs fully before comparing against blocklists. When you decode a string and it still contains percent-sequences, decode it again to check for double encoding.

Path traversal: The sequence ../ can be percent-encoded as %2E%2E%2F or ..%2F to attempt directory traversal attacks. Servers that naively concatenate decoded path segments without normalizing .. references may expose files outside the intended web root. Always normalize the resolved path after decoding.

Open redirect vulnerabilities: When a URL is passed as a query parameter (e.g., ?next=https%3A%2F%2Fattacker.com), the server or client must decode and validate it before redirecting. Failing to decode before validation means a blacklist check on the literal percent-encoded string can be bypassed.

Safe usage of this tool: This URL decoder runs entirely in your browser — no data is sent to a server. You can safely paste sensitive tokens, session parameters, and internal API URLs without transmitting them to a third party.

Worked Examples

Decode a Query String Parameter

Problem:

A search engine returns the URL parameter value: search=Hello%20World%21%20How%20are%20you%3F — decode the value using decodeURIComponent.

Solution Steps:

  1. 1Identify the encoded value: Hello%20World%21%20How%20are%20you%3F
  2. 2Apply decodeURIComponent: each %20 becomes a space, %21 becomes !, and %3F becomes ?
  3. 3Result: Hello World! How are you?

Result:

Hello World! How are you?

Decode a Full URL for Display

Problem:

A server log contains the encoded URL: https%3A%2F%2Fexample.com%2Fpath%20with%20spaces%3Fq%3Dtest — use decodeURI to make it readable while keeping its structure.

Solution Steps:

  1. 1The full encoded string is: https%3A%2F%2Fexample.com%2Fpath%2520with%2520spaces%3Fq%3Dtest
  2. 2With decodeURI, reserved characters like %3A (:), %2F (/), and %3F (?) remain encoded because they are structural. Only non-reserved percent sequences are decoded.
  3. 3Alternatively, if using decodeURIComponent on the value portion only (path%20with%20spaces), each %20 becomes a space: path with spaces

Result:

path with spaces (when decoding the path segment with decodeURIComponent)

Decode Special Characters in an API Callback

Problem:

An OAuth callback URL contains: redirect_uri=https%3A%2F%2Fapp.example.com%2Fcallback%3Fstate%3Dabc%26code%3D12345 — decode it with decodeURIComponent to read the redirect target.

Solution Steps:

  1. 1Input: https%3A%2F%2Fapp.example.com%2Fcallback%3Fstate%3Dabc%26code%3D12345
  2. 2decodeURIComponent converts: %3A → :, %2F → /, %3F → ?, %3D → =, %26 → &
  3. 3Decoded output: https://app.example.com/callback?state=abc&code=12345

Result:

https://app.example.com/callback?state=abc&code=12345

Decode an Internationalized Search Query

Problem:

A URL contains a Japanese search term: q=%E6%97%A5%E6%9C%AC%E8%AA%9E — decode it to reveal the original characters.

Solution Steps:

  1. 1Input: %E6%97%A5%E6%9C%AC%E8%AA%9E
  2. 2Each three-byte group (%E6%97%A5, %E6%9C%AC, %E8%AA%9E) is a UTF-8 encoded Japanese character
  3. 3decodeURIComponent reconstructs the UTF-8 bytes and interprets them as Unicode

Result:

日本語 (the Japanese word for 'Japanese language')

Tips & Best Practices

  • Use decodeURIComponent for query parameter values and decodeURI for complete URLs to avoid breaking URL structure.
  • If decoding throws a URIError, check for lone % signs in the input and replace them with %25 first.
  • Double-encoded URLs (e.g., %2520) require two decode passes — run the decoder twice to fully unwrap.
  • Remember that + is not a space in standard percent-decoding; replace + with %20 before decoding HTML form data.
  • Copy the raw URL from your browser's address bar (not from a rendered anchor) to get the true percent-encoded version.
  • Use your browser DevTools Network tab to find the exact encoded URL sent in a request, then paste it here to decode.
  • When parsing query strings in code, prefer a dedicated URL API (like the browser's URLSearchParams) over manual decoding to handle edge cases automatically.
  • After decoding, verify that the result contains no remaining %XX sequences — if it does, the input may have been double-encoded.

Frequently Asked Questions

decodeURIComponent decodes every percent-encoded sequence in the string, including characters that are reserved in URI syntax such as /, ?, #, &, and =. decodeURI decodes everything except those reserved characters, so the structural parts of a URL remain intact. Use decodeURIComponent for individual query parameter values or path segments, and decodeURI for complete URLs that you want to display in a human-friendly form without breaking their navigability.
Not in standard percent-decoding per RFC 3986. The percent-encoded space is %20. However, in application/x-www-form-urlencoded data — the format used when an HTML form is submitted with GET — a literal plus sign (+) represents a space. Neither decodeURI nor decodeURIComponent converts + to a space automatically. If you are decoding HTML form data, you should replace all + characters with %20 before calling the decode function, or use a dedicated query-string parser that handles this substitution.
A URIError is thrown when the input contains a malformed percent-encoded sequence. Common causes include a lone percent sign not followed by two hexadecimal digits (e.g., 50% off), a percent sequence whose bytes form an invalid UTF-8 sequence, or text that was not actually percent-encoded being passed to the decoder. Check your input for standalone % characters and replace any unintended ones with %25 before decoding.
This URL decoder runs entirely in your browser using JavaScript — the input you enter is never transmitted to any server. You can safely decode URLs containing tokens, passwords, session identifiers, and other sensitive data without the risk of network interception. However, you should still be mindful of shoulder-surfing and browser history if you are working in a shared or public environment.
Yes, but you must decode it multiple times — once for each encoding pass. Double-encoded URLs look like %2520 (which is %25 = % followed by 20, giving %20 after the first decode, and then a space after the second decode). Paste the output back into the input field and decode again to handle double-encoded strings. Keep repeating until no percent-encoded sequences remain.
RFC 3986 defines unreserved characters that are always safe and never need encoding: the 26 uppercase and 26 lowercase English letters (A–Z, a–z), the digits 0–9, the hyphen (-), underscore (_), period (.), and tilde (~). Any character outside this set should be percent-encoded when used as data inside a URL component. Reserved characters (like /, ?, #, &) are safe in their structural positions but must be encoded when they appear as literal data values.
Non-ASCII characters are first converted to their UTF-8 byte representation, then each byte is percent-encoded individually. For example, a single Chinese character may produce three percent-encoded triplets because its UTF-8 encoding uses three bytes. decodeURIComponent reverses this exactly: it reads the percent-encoded byte sequence, assembles the bytes, and interprets them as UTF-8 to reconstruct the original Unicode character. This is why modern URL decoding correctly handles all languages.

Sources & References

Last updated: 2026-06-05

💡

Help us improve!

How would you rate the URL Decoder?

<>

Editorial Note

MyCalcBuddy Editorial Team

This page is maintained as an educational calculator reference.

Source

Formula Source: Standard Mathematical References

by Various

UpdatedLast reviewed: May 2026
CheckedFormula checks are based on standard references and internal QA review.