Base64URL Decoder
Decode URL-safe Base64 strings (JWT payloads, OAuth tokens).
What Is Base64URL Decoding?
Base64URL decoding converts a URL-safe Base64 string back to its original text or binary data. This tool automatically restores the - and _ characters back to + and /, and re-adds any stripped padding before decoding.
Decoding JWT Tokens
A JSON Web Token (JWT) has three dot-separated sections: header.payload.signature. Both the header and the payload are Base64URL-encoded JSON objects. To inspect a JWT, paste just the middle section (the payload β between the two dots) here to decode it.
For example, the payload eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0 decodes to {"sub":"1234567890","name":"John Doe"}.
Note: decoding a JWT payload does not verify the signature. For signature verification, use a proper JWT library.
Other Places You Find Base64URL
OAuth 2.0 PKCE: The code_verifier and code_challenge in PKCE-based OAuth flows are Base64URL strings.
WebAuthn / FIDO2: Authenticator responses include Base64URL-encoded binary data for the credential ID and attestation objects.
URL parameters: When binary data is passed as a URL query parameter, it is typically Base64URL-encoded to avoid percent-encoding issues.
Difference from Standard Base64 Decoder
If your string contains - or _ characters (instead of + or /) and has no trailing = padding, it is Base64URL. Standard Base64 strings use + and / and end with = or ==. Use the Base64 Decoder for the standard variant.
Need more encoding tools? Try the full Encode & Decode suite.