Base64URL Decoder

Base64URL Decode Strings Online

Decode any base64url encoded string back to its original text with this free online tool. Base64url decode reverses the URL-safe Base64 encoding, converting strings that use hyphens and underscores back into readable plain text or binary data. Whether you are parsing JWT tokens, inspecting OAuth parameters, or debugging base64 url decode issues in your application, get accurate results instantly.

What is Base64URL Decoding

Base64URL decoding is the reverse of Base64URL encoding. It takes a string encoded with the URL-safe Base64 alphabet, where hyphens (-) replace plus signs and underscores (_) replace forward slashes, and converts it back to the original binary data or text. The format is defined in RFC 4648 Section 5 and is most commonly encountered in JSON Web Tokens, OAuth flows, and URL query parameters.

Unlike standard Base64, Base64URL encoded strings typically omit trailing padding characters (=). The decoder must account for this by calculating the expected padding from the string length. If the length modulo 4 is 2, one byte of data remains and two padding characters were omitted. If the modulo is 3, two bytes remain and one padding character was omitted. A length divisible by 4 means no padding was needed.

Base64URL decoding is functionally identical to standard Base64 decoding once the character substitutions are reversed. Many libraries handle both variants transparently, while others require you to specify which alphabet to use. The decoded output is always the exact same bytes regardless of whether the data was encoded with standard Base64 or Base64URL.

How Base64URL Decoding Works

The Base64URL decoding process first restores the standard Base64 alphabet by replacing hyphens with plus signs and underscores with forward slashes. If padding was omitted, the decoder adds the necessary equals signs to make the string length a multiple of four. From that point, the algorithm is identical to standard Base64 decoding: each group of four characters is converted to three bytes of output.

The decoder maps each character to its 6-bit index in the Base64 alphabet table. Four 6-bit values are concatenated into 24 bits, which are then split into three 8-bit bytes. For the final group, padding determines how many output bytes to produce. One padding character means two output bytes; two padding characters mean one output byte. If you need to encode data in the forward direction, our Base64URL encoding converter tool handles that transformation.

Error handling varies by implementation. Strict decoders reject strings containing characters outside the Base64URL alphabet or strings with incorrect lengths. Lenient decoders may skip invalid characters or attempt best-effort decoding. When working with JWTs, strict decoding is recommended to catch malformed tokens early in the processing pipeline.

Syntax Comparison

Here is how to decode Base64URL strings in popular programming languages:

JavaScript (Node.js): Use Buffer.from(str, "base64url").toString("utf8") for native Base64URL decoding. In browsers, replace hyphens and underscores manually, add padding, then use atob().

Python: Use base64.urlsafe_b64decode(). Note that Python's implementation requires correct padding, so you may need to add trailing equals signs: base64.urlsafe_b64decode(s + "=" * (4 - len(s) % 4)).

Java: Use Base64.getUrlDecoder().decode(str) to get a byte array. The URL decoder handles both padded and unpadded input automatically.

Common Use Cases

JWT Token Inspection: The most common use of Base64URL decoding is parsing JSON Web Tokens. Splitting a JWT on the period character and decoding the first two segments reveals the algorithm header and the claims payload. This is essential for debugging authentication flows and verifying token contents.

OAuth Parameter Parsing: OAuth 2.0 state parameters and PKCE code challenges are Base64URL encoded. Decoding these values during debugging helps verify that the correct data is being passed between the authorization server and the client application.

URL Query Parameter Extraction: When binary data or structured payloads are passed as Base64URL encoded query parameters, decoding recovers the original content for processing or display.

Cryptographic Signature Verification: Digital signatures in JWTs and other protocols are Base64URL encoded. Decoding the signature segment is necessary before performing cryptographic verification against the signed content.

Base64URL Decode Examples

Here are practical examples demonstrating Base64URL decoding:

Example 1 - JWT Payload: The string "eyJ1c2VyIjoiam9obiIsInJvbGUiOiJhZG1pbiJ9" decodes to {"user":"john","role":"admin"}. This is a typical JWT payload segment containing user claims.

Example 2 - URL with Special Characters: The string "aHR0cHM6Ly9leGFtcGxlLmNvbS9zZWFyY2g_cT10ZXN0" decodes to "https://example.com/search?q=test". Notice the underscore in the encoded string where standard Base64 would have used a slash.

Example 3 - Simple Text: The string "SGVsbG8sIFdvcmxkIQ" (no padding) decodes to "Hello, World!". The missing padding is automatically inferred by the decoder from the string length.

Example 4 - Binary Data: The string "P7__" decodes to the bytes [0x3F, 0xBF, 0xFF]. The underscores represent byte values that would produce slashes in standard Base64. For viewing raw byte values in hexadecimal, our hexadecimal encoding converter tool provides that representation.

Frequently Asked Questions

Can I use a standard Base64 decoder for Base64URL strings?

Not directly. You must first replace hyphens (-) with plus (+) and underscores (_) with slashes (/), then add padding equals signs until the length is a multiple of four. After these substitutions, any standard Base64 decoder will work correctly. Most modern libraries provide dedicated Base64URL decoding functions that handle this automatically.

Why does my Base64URL decoding produce garbled output?

Garbled output usually means the decoded bytes are being interpreted with the wrong character encoding. Base64URL decoding produces raw bytes, and those bytes must be interpreted using the same encoding that was used before the data was encoded. In most cases, this is UTF-8. Ensure your decoder converts the output bytes to a string using UTF-8 encoding. Another common cause is accidentally using a standard Base64 decoder without first converting the URL-safe characters.

How do I decode just one segment of a JWT?

Split the JWT string on the period (.) character to get three segments. The first segment is the header, the second is the payload, and the third is the signature. Base64URL decode the first or second segment to get the JSON content. The signature segment decodes to binary data that is only meaningful for cryptographic verification. For a complete JWT parsing experience, our JWT decoder tool handles all three segments automatically.

Is Base64URL decoding safe for untrusted input?

Base64URL decoding itself is safe in the sense that it only performs character mapping and bit manipulation. However, the decoded content could be malicious. Never execute decoded content as code, inject it into HTML without sanitization, or use it in SQL queries without parameterization. Always validate and sanitize decoded data before using it in security-sensitive contexts.

What is the difference between Base64URL decode and standard Base64 decode?

The only difference is the character alphabet. Base64URL uses hyphens instead of plus signs and underscores instead of slashes. It also typically omits padding. The underlying algorithm for converting characters back to bytes is identical. For standard Base64 decoding, our online Base64 decoding tool handles the traditional format with padding.

Can Base64URL encoded strings contain whitespace?

Valid Base64URL strings should not contain whitespace. Unlike MIME-formatted Base64 which may include line breaks every 76 characters, Base64URL is designed for compact representation in URLs and tokens where whitespace is not permitted. If you encounter whitespace in a Base64URL string, it was likely added during display or copy-paste and should be stripped before decoding.