Base64URL Encoder & Decoder
Encode and decode Base64URL strings for JWT, URLs, and web-safe data. Convert between text, standard Base64, and URL-safe Base64URL — output contains no +, / or = characters.
Enter text above to see the result
What Is Base64URL?
Base64URL is defined in RFC 4648 §5. It uses the same 64-character encoding as standard Base64, but replaces two characters so the output is safe for use in URLs and filenames without percent-encoding.
The padding character (=) is optional — most Base64URL implementations (including JWT) omit it entirely, since the correct padding can always be inferred from the string length.
| Standard Base64 | Base64URL | Reason |
|---|---|---|
| + | - | + is treated as a space in query strings |
| / | _ | / is a path separator in URLs |
| = (padding) | omitted | = is a key-value delimiter in query strings |
JavaScript — Converting Between Base64 and Base64URL
// Text → Base64URL
function textToBase64Url(text) {
const bytes = new TextEncoder().encode(text)
let binary = ''
bytes.forEach(b => binary += String.fromCharCode(b))
return btoa(binary)
.replace(/\+/g, '-')
.replace(/\//g, '_')
.replace(/=/g, '')
}
// Base64URL → Text
function base64UrlToText(b64url) {
const b64 = b64url
.replace(/-/g, '+')
.replace(/_/g, '/')
const pad = b64.length % 4
const padded = pad ? b64 + '='.repeat(4 - pad) : b64
const binary = atob(padded)
const bytes = Uint8Array.from(binary, c => c.charCodeAt(0))
return new TextDecoder().decode(bytes)
}
// Base64 → Base64URL
const toB64Url = b64 =>
b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '')Why JWT Uses Base64URL
JWTs (JSON Web Tokens) are commonly transmitted in three places: the Authorization HTTP header, URL query parameters, or a Cookie. In all three contexts, standard Base64 characters cause problems:
+parsed as a space in query strings/treated as a path segment separator in URLs=used as a key-value delimiter in query strings
Base64URL avoids all three issues. JWT tokens — even those that would contain + or / in standard Base64 — can be placed anywhere in a URL or header without any additional encoding.
JWT Structure
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
↑ header(Base64URL)
.eyJzdWIiOiIxMjM0NTY3ODkwIn0
↑ payload(Base64URL JSON)
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
↑ signature(Base64URL)Decoding the Payload in JavaScript
const token = 'eyJ...SflK...'
const [, payload] = token.split('.')
// Add padding back, then decode
const b64 = payload.replace(/-/g,'+').replace(/_/g,'/')
const pad = b64.length % 4
const padded = pad ? b64 + '='.repeat(4 - pad) : b64
const json = JSON.parse(atob(padded))
// → { sub: '1234567890', ... }Never trust a decoded JWT payload until the signature is verified on the server. Decoding is a public operation — anyone can read the payload. The signature is what proves the token was issued by a trusted server.
Where Base64URL Is Used
JWT Tokens
JSON Web Tokens use Base64URL for all three segments — header, payload, and signature. Defined in RFC 7519.
OAuth 2.0 PKCE
The code_verifier and code_challenge in PKCE flows are Base64URL-encoded. The challenge is the Base64URL-encoded SHA-256 hash of the verifier.
URL-safe state params
OAuth state, CSRF tokens, and opaque identifiers are often Base64URL-encoded so they can be passed in redirect URLs without extra escaping.
Web Crypto API
SubtleCrypto returns ArrayBuffers. Base64URL is the standard way to serialize keys and signatures for storage or transmission.
WebAuthn / Passkeys
The Web Authentication API uses Base64URL to encode credential IDs, authenticator data, and attestation objects.
File IDs and Tokens
Many APIs generate random-byte tokens (session tokens, upload IDs) and return them as Base64URL strings so they are safe for use in URLs.
Frequently Asked Questions
What is Base64URL?
Base64URL is a variant of standard Base64 that is safe for use in URLs and filenames. It replaces + with -, / with _, and removes the = padding character. The character set is the same as Base64, except those three characters that have special meaning in URLs (+, /, =) are replaced or removed.
Why does JWT use Base64URL?
JWTs (JSON Web Tokens) are transmitted in HTTP headers, URL parameters, and Cookies — contexts where the + and / characters of standard Base64 would be misinterpreted or require percent-encoding. Base64URL uses - and _ instead to avoid this. JWT also omits the padding (=) to keep tokens as compact as possible.
Can I use standard Base64 in a JWT?
No. The JWT specification requires Base64URL encoding as defined in RFC 4648 §5. Implementations that expect JWTs will reject tokens encoded with standard Base64. The distinction matters: any token segment containing + or / would break URL parsing.
Is Base64URL lossless?
Yes. The conversion between Base64 and Base64URL is fully reversible. Replacing + with - and / with _ is a one-to-one substitution — no information is lost. Removing the padding is also reversible, because the correct padding length can always be derived from the string length.
What is the difference between Base64URL and URL encoding?
They solve different problems. Base64URL uses 64 characters to turn binary data into a URL-safe text representation. URL encoding (percent-encoding) escapes individual characters that are unsafe in URLs — for example, a space becomes %20. Use Base64URL when carrying binary data in a URL parameter; use URL encoding when escaping user-input text in a query string.
How do I decode a JWT payload?
A JWT has three dot-separated parts: header.payload.signature. Each part is Base64URL-encoded. To read the payload, take the second segment and decode it as Base64URL — it is a JSON object. Important: decoding the payload does not verify the signature. Always verify the signature on the server before trusting any data in the JWT.
Working with JWT Tokens?
Use the JWT Decoder to inspect the header and payload of any JWT — with automatic Base64URL decoding and JSON formatting.