๐ Base64 URL Decoder โ Decode Base64url Strings & JWT Tokens
The Base64 URL Decoder converts Base64url-encoded strings back to their original plaintext, JSON, or binary form โ entirely in your browser with no data sent to any server. Whether you're inspecting a JWT (JSON Web Token), debugging an OAuth state parameter, or examining an API response, this tool decodes it instantly.
๐ค What Is Base64 URL Encoding?
Base64url is a variant of standard Base64 defined in RFC 4648 ยง5. It uses a URL-safe alphabet by replacing + with - and / with _, and typically omitting the = padding character. This makes it safe to embed in URLs, query strings, HTTP headers, and cookie values without requiring percent-encoding.
โ๏ธ How Decoding Works
The decoder follows a 5-step normalization process before producing output:
- Strip whitespace โ removes newlines and spaces (if enabled)
- URL-decode โ optionally percent-decodes
%2B,%2F,%3D - Convert alphabet โ replaces
-โ+and_โ/ - Re-add padding โ appends
=or==to make length a multiple of 4 - Decode โ applies standard Base64 decode and interprets bytes as UTF-8, Hex, or JSON
๐ช JWT Token Decoder
Enable JWT Mode to automatically split a JSON Web Token on its . separators into three segments:
Algorithm and token type โ e.g., {"alg":"HS256","typ":"JWT"}
Claims data โ subject, issuer, expiry, and custom fields.
Binary HMAC/RSA signature โ shown as raw Base64url. Cannot be decoded to text.
๐ค Output Formats
| Format | Best For | Example Output |
|---|---|---|
| UTF-8 Text | Plain text, JSON payloads, tokens | hello world |
| Hex Dump | Binary data, encryption keys, certificates | 68 65 6c 6c 6f |
| JSON Pretty-print | API responses, JWT payloads | {
"sub": "123"
} |
๐ Auto-Detect & Input Variants
The decoder handles three common input variants automatically:
- Base64url โ the canonical RFC 4648 ยง5 format with
-and_ - Standard Base64 โ automatically converts
+and/before decoding - URL-encoded Base64 โ percent-decodes
%2Band%2Fbefore processing
๐ก๏ธ Privacy & Security
All decoding runs 100% client-side in your browser. No input data is ever transmitted to a server. This makes the tool safe for decoding sensitive JWTs, API keys, session tokens, and OAuth state parameters. Remember that Base64url encoding provides no encryption or confidentiality โ anyone with the encoded string can decode it.
๐งช Common Use Cases
- Decoding JWT headers and payloads to inspect claims (
sub,exp,iss) - Debugging OAuth 2.0 / OIDC access tokens and state parameters
- Inspecting Base64url-encoded API keys or session identifiers
- Examining URL-safe encoded hashes, nonces, and cryptographic salts
- Decoding binary attachments or file data embedded in API responses
โ ๏ธ Padding & Error Handling
Base64url strings often omit the trailing = padding. The decoder automatically calculates and adds the correct number of padding characters (0, 1, or 2) before decoding. If the decoded bytes contain invalid UTF-8 sequences, the tool warns you and suggests switching to Hex Dump mode to view the raw bytes.