Base64URL Encoder

Base64URL Encode Text Online

Convert any text to base64url encoded format instantly with this free online tool. Base64url encode transforms your input into a URL-safe Base64 variant that replaces problematic characters with alternatives suitable for URLs, filenames, and query parameters. Paste your text and get a base64 url safe encoded string without worrying about special character conflicts.

What is Base64URL Encoding

Base64URL is a variant of standard Base64 encoding defined in RFC 4648 Section 5. It was created to solve a specific problem: standard Base64 output contains the characters plus (+), forward slash (/), and equals (=), all of which have special meanings in URLs and file systems. Base64URL replaces plus with hyphen (-), forward slash with underscore (_), and typically omits the padding equals signs entirely.

This URL-safe alphabet makes Base64URL ideal for embedding encoded data directly in URL path segments, query parameters, fragment identifiers, and filenames without requiring additional percent encoding. The encoding is used extensively in modern web standards, most notably in JSON Web Tokens where all three segments (header, payload, and signature) are Base64URL encoded before being concatenated with periods.

Apart from the character substitutions and padding behavior, Base64URL follows the exact same algorithm as standard Base64. The input is processed in three-byte groups, split into four 6-bit segments, and each segment is mapped to a character in the modified alphabet. The 33 percent size overhead is identical to standard Base64.

How Base64URL Encoding Works

Base64URL encoding follows the same core algorithm as standard Base64 but with two key modifications to the output alphabet. The encoding process reads input data in groups of three bytes (24 bits), divides each group into four 6-bit values, and maps each value to a character. Where standard Base64 uses plus (+) for index 62 and slash (/) for index 63, Base64URL uses hyphen (-) and underscore (_) respectively. Additionally, the trailing padding characters (=) are usually omitted since the decoder can infer the original data length from the encoded string length.

For example, encoding the string "Hello?" with standard Base64 produces "SGVsbG8/" because the question mark maps to a 6-bit value that corresponds to the slash character. With Base64URL, the same input produces "SGVsbG8_" using an underscore instead. This subtle difference prevents the slash from being interpreted as a URL path separator. When you need standard Base64 with padding, our online Base64 encoding tool provides the traditional format.

The relationship between Base64URL and standard Base64 is purely a character mapping difference. You can convert between the two formats by replacing hyphens with plus signs, underscores with slashes, and adding padding if needed. This makes it easy to use existing Base64 libraries that do not natively support the URL-safe variant by performing a simple string replacement before or after encoding.

Syntax Comparison

Here is how to perform Base64URL encoding in several popular programming languages:

JavaScript: There is no built-in Base64URL function in browsers. The common approach is to use btoa() and then replace characters: btoa(str).replace(/+/g, "-").replace(///g, "_").replace(/=+$/, ""). In Node.js, use Buffer.from(str).toString("base64url") which has native support since Node 15.7.

Python: The base64 module provides urlsafe_b64encode(). Call base64.urlsafe_b64encode(b"Hello").decode("ascii").rstrip("=") to get the unpadded Base64URL string.

Java: Use Base64.getUrlEncoder().withoutPadding().encodeToString(bytes) for unpadded Base64URL output. The java.util.Base64 class provides a dedicated URL encoder since Java 8.

Common Use Cases

JSON Web Tokens: JWTs are the primary consumer of Base64URL encoding. The header and payload sections of every JWT are Base64URL encoded JSON objects. The signature is also Base64URL encoded. Using standard Base64 would break JWT parsing because the period delimiter and padding equals signs would conflict with URL handling.

OAuth and OpenID Connect: Many OAuth 2.0 flows use Base64URL encoding for state parameters, code verifiers (PKCE), and token values. The URL-safe format ensures these values can be passed in redirect URLs without corruption.

URL Query Parameters: When binary or structured data must be included in a URL query string, Base64URL encoding avoids the need for double encoding. Standard Base64 would require percent encoding of the plus and slash characters, making the URL longer and harder to read.

Filename-Safe Identifiers: Base64URL output is safe for use in filenames on all major operating systems because it avoids the forward slash character. This makes it useful for generating unique file identifiers from binary data like hashes or UUIDs.

Base64URL Encode Examples

Here are practical examples comparing standard Base64 and Base64URL output:

Example 1 - Simple Text: The string "Hello, World!" encodes to "SGVsbG8sIFdvcmxkIQ" in Base64URL (no padding) versus "SGVsbG8sIFdvcmxkIQ==" in standard Base64. The only difference here is the omitted padding.

Example 2 - Data with Slash: The bytes [0x3F, 0xBF, 0xFF] encode to "P7__" in Base64URL versus "P7//" in standard Base64. The two slashes are replaced with underscores, making the output safe for URLs.

Example 3 - JWT Header: The JSON {"alg":"HS256","typ":"JWT"} encodes to "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" in Base64URL. This is the exact format used as the first segment of a JWT. To inspect full JWT tokens, try our JSON web token decoder.

Example 4 - Binary Hash: A SHA-256 hash often contains bytes that map to plus and slash in standard Base64. Base64URL ensures the encoded hash can be used directly in a URL path like /verify/abc-def_ghi without any ambiguity.

Frequently Asked Questions

When should I use Base64URL instead of standard Base64?

Use Base64URL whenever the encoded output will appear in a URL, a filename, or any context where plus (+), slash (/), or equals (=) characters could cause problems. The most common scenario is building or parsing JSON Web Tokens. If the encoded data will only be stored in a database, transmitted in a request body, or embedded in a non-URL context, standard Base64 is perfectly fine.

Can I decode Base64URL with a standard Base64 decoder?

Not directly, but the conversion is trivial. Replace all hyphens (-) with plus (+), replace all underscores (_) with slashes (/), and add padding equals signs until the string length is a multiple of four. After these replacements, any standard Base64 decoder will handle the input correctly. Our Base64URL decoding converter tool handles this automatically.

Why does Base64URL omit padding?

Padding is omitted because the equals sign has special meaning in URL query strings, where it separates parameter names from values. Including padding would require percent encoding the equals signs, defeating the purpose of a URL-safe encoding. The decoder can determine the original data length from the encoded string length: if length mod 4 is 2, one padding would have been present; if mod 4 is 3, two paddings would have been present.

Is Base64URL encoding used in OAuth 2.0?

Yes, Base64URL is used extensively in OAuth 2.0 and OpenID Connect. The PKCE (Proof Key for Code Exchange) extension uses Base64URL to encode the code verifier and code challenge. Access tokens and ID tokens in JWT format use Base64URL for all three segments. State parameters passed in authorization redirects also commonly use Base64URL encoding.

How does Base64URL compare to percent encoding for URLs?

Base64URL and percent encoding serve different purposes. Percent encoding (also called URL encoding) escapes individual characters that are unsafe in URLs by replacing them with percent-hex sequences. Base64URL transforms entire binary payloads into a URL-safe string. If you need to include arbitrary binary data in a URL, Base64URL is more efficient than percent encoding the raw bytes. For encoding individual URI components, our URI component encoder handles standard percent encoding.

What is the maximum length of a Base64URL encoded string in a URL?

While there is no theoretical limit on Base64URL string length, practical URL length limits apply. Most browsers support URLs up to about 2048 characters, and many web servers have similar limits. For very large payloads, consider sending the data in the request body rather than encoding it in the URL. Keep in mind that Base64URL adds approximately 33 percent overhead, so a 1500-byte payload would produce roughly a 2000-character encoded string.