Guides

URL Decoding Explained: How to Read %20 and Percent Codes

Desmond OkaforΒ·Β·7 min read

Ever copied a link and found it stuffed with %20, %2F, and %3D β€” a wall of percent signs where readable words should be? That string is URL-encoded, and URL decoding is how you turn it back into something a person can read. Here's the reassuring part: the codes aren't random. They're a fixed substitution table, the same way a decoder ring maps each symbol to exactly one letter. Once you know how the table works, you can read most of a URL by eye and reach for a decoder for the rest.

What URL decoding actually is

URL decoding is the reverse of percent-encoding. When text is put into a URL, unsafe or reserved characters get replaced with a % followed by two hexadecimal digits that spell out the character's byte value β€” a space becomes %20. Decoding walks back the other way: it finds each %XX and swaps it for the character it stands for. If you want the full picture of the forward direction first, our primer on what URL encoding is covers why the encoding exists at all.

Think of it like a decoder ring. Encoding scrambles each character into a code; decoding is looking that code back up in the same table. There's no guessing involved β€” every %XX has exactly one meaning.

Reading a percent code in three steps

Every encoded character follows the same shape, so you can decode one by hand every time:

  1. Find the %. Each percent sign marks the start of one encoded byte.
  2. Read the two hex digits right after it. Hex uses 0–9 and A–F.
  3. Look up that value as a character. %20 is hex 20, which is 32 in decimal β€” the ASCII code for a space.

So Hello%20World decodes to Hello World, and path%2Fto%2Ffile decodes to path/to/file. Do it a few times and the common codes start to stick.

The percent codes you'll actually see

A handful of codes cover the vast majority of real URLs. Keep this table handy:

Character Code
space %20
! %21
" %22
# %23
% %25
& %26
' %27
+ %2B
, %2C
/ %2F
: %3A
= %3D
? %3F
@ %40

Notice %25 is the percent sign itself β€” that one matters in a moment.

Why one character sometimes becomes several codes

ASCII characters map to a single byte, so they decode to a single %XX. Non-English letters, accents, and emoji don't. They're stored as UTF-8, which uses two to four bytes per character, and each byte gets its own percent code. That's why Γ© shows up as %C3%A9 and a single emoji can span four codes.

The practical takeaway: decoding by hand works fine for plain ASCII, but the moment you hit multibyte sequences you want a tool that reassembles the bytes as UTF-8. Decode each byte in isolation and you get mojibake instead of the real character.

The double-encoding trap

Here's the one that trips people up. If you decode a URL and still see %20 β€” often written as %2520 before you start β€” the value was encoded twice. Remember that %25 is an encoded %, so %2520 is really %20 that got run through an encoder a second time.

Decoding once turns %2520 into %20; decoding twice gets you the space. But the fix isn't to decode twice forever β€” it's to find where the value is being encoded a second time and stop it. A quick way to check is to paste the string into the URL Decoder and count how many passes it takes to reach clean text. If it needs two, something upstream is double-encoding. This is closely related to mixing up encoding contexts, which we cover in URL encoding vs HTML encoding.

How to decode a URL quickly

Pick the method that matches the job:

  • By hand for a code or two β€” use the table above.
  • In code, every language ships a helper. In JavaScript, decodeURIComponent("Hello%20World") returns Hello World; in Python, urllib.parse.unquote does the same.
  • Online, paste the string into the URL Decoder β€” it decodes the whole thing locally in your browser, UTF-8 and all. To then split a decoded query string into its individual key–value pairs, hand it to the URL Query Parser.

One caution: not everything that looks encoded is percent-encoded. A token that starts with eyJ is Base64url, not a URL β€” decode that with the JWT Decoder instead, or you'll just mangle it.

The takeaway

URL decoding feels cryptic until you see it for what it is: a fixed lookup table you read three steps at a time. Find the %, read the two hex digits, swap in the character. Watch for UTF-8 sequences that span several codes and for the double-encoding tell of %2520, and you'll rarely be stumped by a link again. When a string is longer than you want to decode by eye, the URL Decoder does the whole job in one pass β€” and if you're fuzzy on how the codes got there in the first place, start with what URL encoding is.

Try the tools

Frequently Asked Questions

What does %20 mean in a URL?

%20 is the percent-encoded form of a space. A URL cannot contain a raw space, so decoding turns %20 β€” and codes like %2F (a slash) or %3D (an equals sign) β€” back into the original character.

How do I decode a URL?

Replace each %XX with the character its two hex digits represent (%20 is a space, %2F a slash, and so on). For anything longer than a code or two, paste the string into a URL decoder, which reverses the whole thing at once.

Why does decoding sometimes take two passes?

If one decode pass leaves you with %20 still visible (often shown as %2520), the URL was encoded twice. Decode again to get clean text β€” but the real fix is to stop the double-encoding upstream, not to decode twice every time.

Is + the same as %20 when decoding?

Inside the query string of a form-encoded URL, a + decodes to a space. Anywhere else in a URL, a + is a literal plus sign. Context decides, which is why %20 is the safer, unambiguous encoding for a space.

Why did my decoded text turn into gibberish?

That's mojibake β€” usually a UTF-8 sequence like %C3%A9 (Γ©) decoded as if each byte were a separate Latin-1 character. Decode the percent codes as UTF-8 bytes, not one at a time, and the accented or non-English characters come back correctly.

DO

Desmond Okafor writes for CodeUtilityKit, where the team builds free, privacy-first developer tools that run entirely in your browser. Every guide is written and reviewed by developers who use these tools daily.