🔓 Base64 URL Decoder – Decode Base64url Strings & JWT Tokens
The Base64 URL Decoderconverts Base64url-encoded strings back to their original plaintext, JSON, or binary form — entirely in your browser with no data sent to any server. Whether you're inspecting a JWT (JSON Web Token), debugging an OAuth state parameter, or examining an API response, this tool decodes it instantly.
🔤 What Is Base64 URL Encoding?
Base64url is a variant of standard Base64 defined in RFC 4648 §5. It uses a URL-safe alphabet by replacing + with - and / with _, and typically omitting the = padding character. This makes it safe to embed in URLs, query strings, HTTP headers, and cookie values without requiring percent-encoding.
⚙️ How Decoding Works
The decoder follows a 5-step normalization process before producing output:
- Strip whitespace — removes newlines and spaces (if enabled)
- URL-decode — optionally percent-decodes
%2B,%2F,%3D - Convert alphabet — replaces
-→+and_→/ - Re-add padding — appends
=or==to make length a multiple of 4 - Decode — applies standard Base64 decode and interprets bytes as UTF-8, Hex, or JSON
🪙 JWT Token Decoder
Enable JWT Mode to automatically split a JSON Web Token on its . separators into three segments:
Algorithm and token type — e.g., {"alg":"HS256","typ":"JWT"}
Claims data — subject, issuer, expiry, and custom fields.
Binary HMAC/RSA signature — shown as raw Base64url. Cannot be decoded to text.
📤 Output Formats
| Format | Best For | Example Output |
|---|---|---|
| UTF-8 Text | Plain text, JSON payloads, tokens | hello world |
| Hex Dump | Binary data, encryption keys, certificates | 68 65 6c 6c 6f |
| JSON Pretty-print | API responses, JWT payloads | {
"sub": "123"
} |
🔄 Auto-Detect & Input Variants
The decoder handles three common input variants automatically:
- Base64url — the canonical RFC 4648 §5 format with
-and_ - Standard Base64 — automatically converts
+and/before decoding - URL-encoded Base64 — percent-decodes
%2Band%2Fbefore processing
🛡️ Privacy & Security
All decoding runs 100% client-side in your browser. No input data is ever transmitted to a server. This makes the tool safe for decoding sensitive JWTs, API keys, session tokens, and OAuth state parameters. Remember that Base64url encoding provides no encryption or confidentiality — anyone with the encoded string can decode it.
🧪 Common Use Cases
- Decoding JWT headers and payloads to inspect claims (
sub,exp,iss) - Debugging OAuth 2.0 / OIDC access tokens and state parameters
- Inspecting Base64url-encoded API keys or session identifiers
- Examining URL-safe encoded hashes, nonces, and cryptographic salts
- Decoding binary attachments or file data embedded in API responses
⚠️ Padding & Error Handling
Base64url strings often omit the trailing = padding. The decoder automatically calculates and adds the correct number of padding characters (0, 1, or 2) before decoding. If the decoded bytes contain invalid UTF-8 sequences, the tool warns you and suggests switching to Hex Dump mode to view the raw bytes.