Base64URL Encoding

Base64URL is a URL-safe variant of Base64 encoding used in JWT header and payload segments. It replaces + with -, / with _, and often omits = padding. This makes JWT strings safe in URLs, query parameters, and HTTP headers without escaping. Base64URL is encoding, not encryption — anyone can decode a JWT payload. The signature segment is also base64url-encoded binary output from the signing algorithm. Implementations across Node.js, Python, Go, Ruby, and Java follow the same RFC standards, so concepts transfer directly between stacks. Security reviews should treat this as part of your full authentication threat model, not an isolated configuration detail.

Why It Matters

Understanding Base64URL explains why JWT payloads are readable without a secret and why you must never embed sensitive data in claims. Our Base64 Encoder/Decoder tool handles standard Base64; JWTs specifically use the URL-safe alphabet defined in RFC 4648. Getting this wrong often surfaces only after an incident, when forged or replayed tokens expose gaps in validation or secret handling. Platform teams should encode these rules in libraries, linting, and deployment checklists so individual services cannot drift silently. Pair technical controls with monitoring: log verification failures, track unusual token lifetimes, and alert on spikes in 401 responses.

Code Example

Decode JWT payload
const payload = token.split('.')[1];
const json = Buffer.from(payload, 'base64url').toString('utf8');
console.log(JSON.parse(json));

Related Terms

Related Tools

Related Articles

Frequently Asked Questions

Can I decode a JWT without the secret?

Yes. Decoding only requires base64url decoding of the header and payload. Verification requires the secret or public key. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Base64 vs Base64URL?

Base64URL uses - and _ instead of + and /, making tokens safe in URLs without additional percent-encoding. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.

Is base64url encryption?

No. It is reversible encoding. Confidential claims require JWE or transport-layer encryption via HTTPS. Consult your JWT library documentation for exact option names, defaults, and error types. When in doubt, prefer stricter validation and shorter token lifetimes over permissive shortcuts.