JSONToTable

Base64 URL Decoder

Decode URL-safe Base64 (Base64url) strings to text

Base64url Input

Loading editor...

Decoded Text

Decoded text will appear here

Paste a Base64url string in the input area

About Base64 URL Decoder (Base64url)

Our Base64 URL Decoder converts URL-safe Base64 strings (Base64url) back to their original text format. This decoder handles the URL-friendly Base64 variant that replaces special characters (+, /, =) with URL-safe alternatives (-, _, no padding), commonly used in JWT tokens, OAuth flows, and web APIs.

What Does This Decoder Do?

Base64url encoding modifies standard Base64 to be URL-safe. This decoder:

  • ✓ Converts - back to +
  • ✓ Converts _ back to /
  • ✓ Restores padding = characters as needed
  • ✓ Decodes the resulting standard Base64 to original text
  • ✓ Handles UTF-8 encoded text properly

How to Use the Base64 URL Decoder

  1. Paste Base64url String: Copy your URL-safe Base64 string into the input area
  2. Automatic Decoding: See real-time decoding as you type or paste
  3. View Result: Read the decoded text in the output pane
  4. Copy/Download: Use Copy button for clipboard or Download to save as file
  5. Error Detection: Get clear error messages if the string is invalid

Common Use Cases

  • JWT Token Inspection: Decode JWT header and payload sections to view claims
  • OAuth Debugging: Extract state parameters from OAuth/SAML responses
  • API Response Parsing: Decode Base64url data from REST API responses
  • URL Parameter Extraction: Retrieve encoded data from query strings
  • Session Data: Decode URL-safe session identifiers
  • Token Validation: Inspect API tokens and access keys
  • Data Recovery: Extract information from Base64url encoded filenames

JWT Token Decoding Example

JWT tokens consist of three Base64url encoded parts separated by dots. Here's how to decode them:

JWT Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header (first part):

{"alg":"HS256","typ":"JWT"}

Decoded Payload (second part):

{"sub":"1234567890","name":"John Doe","iat":1516239022}

Note: The signature (third part) is binary data and won't decode to readable text.

Features of Our Base64 URL Decoder

🚀 Instant Decoding

Real-time decoding as you type or paste Base64url strings

🔧 Auto-Padding

Automatically restores missing padding for proper decoding

✅ Error Handling

Clear error messages with troubleshooting tips

🔒 100% Private

All decoding happens in your browser - no server uploads

🌐 UTF-8 Support

Properly handles international characters and emojis

📋 Quick Copy

One-click copy to clipboard for immediate use

Understanding JWT Structure

JSON Web Tokens (JWT) use Base64url encoding for portability. A JWT has three parts:

1. Header:

Contains token type (JWT) and signing algorithm (HS256, RS256, etc.)

{"alg":"HS256","typ":"JWT"}
2. Payload:

Contains claims (user data, expiration, issuer, etc.)

{"sub":"user123","exp":1234567890}
3. Signature:

Cryptographic signature to verify token integrity (binary, not text)

Frequently Asked Questions

How do I decode a JWT token?

Split the JWT by dots (.) into three parts. Use this decoder to decode the first part (header) and second part (payload). The third part (signature) is binary and used for verification, not decoding.

What's the difference between Base64 and Base64url decoding?

Base64url uses different characters: - instead of +, _ instead of /, and no padding (=). This decoder handles both formats by converting Base64url to standard Base64 before decoding.

Why do I get an error when decoding?

Common errors include: invalid characters in the Base64url string, corrupted data, or mixing standard Base64 with URL-safe Base64. Ensure you're using the correct decoder for your format.

Is it safe to decode JWT tokens here?

Yes for development and learning! All decoding happens client-side in your browser - nothing is sent to servers. However, never decode production tokens containing sensitive data on public tools.

Can I verify JWT signatures with this tool?

No, this tool only decodes the text portions of JWT tokens. Signature verification requires the secret key or public key and is typically done in your application code or specialized JWT libraries.

What if my Base64url string has no padding?

No problem! Base64url format typically omits padding (= characters). Our decoder automatically calculates and restores the correct padding before decoding.

Does this work with OAuth tokens?

Yes! OAuth 2.0 and OpenID Connect use Base64url encoding for state parameters and tokens. You can decode these to inspect the contained data.

Can I decode binary data like images?

This tool is designed for text decoding. Binary data (like images or files) encoded in Base64url won't produce readable text output. Use a binary-specific Base64 decoder for those use cases.

💡 Pro Tip

When debugging JWT authentication issues, decode both the header and payload to inspect claims like expiration (exp), issuer (iss), and audience (aud). Common problems include expired tokens (exp timestamp in the past) or mismatched audience claims.

⚠️ Security Warning

Remember: Base64url encoding is NOT encryption! Anyone can decode Base64url strings. Never store sensitive information like passwords, API keys, or personal data in JWT payloads without proper encryption. JWT signatures verify integrity, not confidentiality.

🔧 Developer Note

In JavaScript, decode Base64url with:atob(base64url.replace(/-/g, '+').replace(/_/g, '/').padEnd(base64url.length + (4 - base64url.length % 4) % 4, '='))