Base64url Encoder / Decoder
Encode text to Base64url or decode Base64url strings. Compare standard Base64 and Base64url, used in JWTs and URLs.
Where is Base64url used?
All three parts of a JWT (header, payload, signature) are encoded in Base64url.
Base64url is URL-safe because it does not use the +, / and = characters.
Base64url produces strings compatible with file systems (no / character).
Everything you need to know about Base64url encoding
Why use Base64url instead of standard Base64?
Base64url (RFC 4648 section 5) replaces + with -, / with _, and removes the = padding. These 3 character changes make the output directly safe for URLs, filenames, and query parameters without additional escaping.
JWT tokens (JSON Web Tokens) use Base64url exclusively for all 3 segments (header, payload, signature). If you work with OAuth 2.0, OpenID Connect, or any modern authentication system, you handle Base64url daily.
This tool encodes and decodes in real time, displays standard Base64 and Base64url side by side, and highlights the 3 character differences. All processing happens locally in your browser — no data is sent to any server.
Who uses this tool?
- Back-end developers
- Decode all 3 parts of a JWT to inspect the header (alg, typ) and payload (sub, iat, exp) without installing any library. Quickly verify claims before debugging an authentication issue.
- API developers
- Encode binary data (SHA-256 hashes, HMAC keys) to pass in URL parameters or HTTP headers. Base64url guarantees integrity without the escaping issues of standard Base64.
- Mobile developers
- Handle deep links and Universal Links containing encoded payloads. Base64url is compatible with iOS and Android URL schemes without double encoding.
- Security engineers
- Analyze OAuth access tokens, encoded SAML assertions, and JWK keys. The Base64/Base64url comparison helps identify common conversion errors during SSO integrations.
How does the tool work?
Select Encode or Decode mode. In encode mode, paste plain text and instantly get both the Base64url and standard Base64 results. In decode mode, paste a Base64url string and retrieve the original text.
Encoding follows RFC 4648 section 5: text is first converted to UTF-8 bytes, then Base64-encoded, and finally the Base64url substitutions are applied (+ becomes -, / becomes _, = padding is removed).
The comparison table shows both variants side by side. Each result has a copy button. There is no server-side size limit since all computation happens in your browser.
Frequently asked questions
- What is the difference between Base64 and Base64url?
- Base64url replaces + with - and / with _, and removes the = padding character. These 3 changes are defined in RFC 4648 section 5 and make the string safe for URLs and filenames without additional encoding.
- Why do JWTs use Base64url instead of Base64?
- A JWT often travels in a URL (query parameter, fragment) or in an HTTP header. The + character would be interpreted as a space, / as a path separator, and = would cause parsing issues. Base64url eliminates these ambiguities.
- Is my data sent to a server?
- No. Encoding and decoding happen entirely in your browser via JavaScript. No data is transmitted, stored, or logged on any remote server. You can use the tool offline after the initial page load.
- Is Base64url reversible? Is it encryption?
- Base64url is an encoding, not encryption. It is fully reversible and provides no security. Anyone with the encoded string can recover the original content. To protect sensitive data, use a real encryption algorithm (AES-256, for example).