Base64url decoding restores UTF-8 text from unpadded URL-safe Base64 strings. Unlike standard Base64, the alphabet uses - and _ instead of + and /, and padding = is usually omitted so tokens fit cleanly in URLs and JWT segments.
How it works
Each group of four Base64url characters maps back to three original bytes. The decoder accepts only characters from the URL-safe alphabet (A–Z, a–z, 0–9, -, _) and optional padding. Invalid symbols are rejected before any output is shown, which helps catch copy-paste errors from mixed standard and URL-safe encodings.
When to use it
- Read JWT header and payload segments after splitting on dots
- Decode URL-safe tokens from OAuth or OpenID flows
- Verify round trips after encoding with the companion from-text-to-base64url tool
- Inspect Base64url fields in API responses without writing a script
Example
The Base64url form of hello world decodes back to the original phrase in the output field. Whitespace around pasted input is ignored during validation.
Limitations
This validates alphabet and padding only; it does not verify JWT signatures, expiration (exp), or audience (aud) claims. Decoding reveals content to anyone holding the string—it is not encryption. Binary payloads may not display as readable UTF-8 text.