Decode a Base64URL string

Why Base64URL fails in a standard decoder

Base64URL replaces plus with hyphen and slash with underscore so the value can travel safely in URLs, filenames, and tokens. It also often removes equals-sign padding. A standard Base64 decoder may reject those characters or fail when the length no longer lines up.

Example

SGVsbG8tdXJsX3NhZmU

Normalize to SGVsbG8tdXJsX3NhZmU=, then decode the bytes as UTF-8 text.

How to decode it safely

1. Replace each hyphen with plus and each underscore with slash when you need standard Base64 input.
2. Add equals-sign padding until the string length is divisible by four.
3. Decode the normalized value and check whether the resulting bytes are readable UTF-8.
4. If the value came from a token, decode only the part you need and do not treat the result as proof that the token is valid.

Where Base64URL appears

Base64URL is common in JWTs, callback values, short identifiers, signed URLs, and systems that need binary-looking data inside URL-safe text. The alphabet change is small, but it is enough to break a strict Base64 decoder.

When the decoded output looks like JSON, format it before reading nested fields. When it looks like random symbols, the bytes may not be UTF-8 text, or the value may be compressed or encrypted before encoding.

Common mistakes

• Pasting a JWT header, payload, and signature together instead of decoding one part
• Forgetting that Base64URL may omit padding
• Assuming decoded token text has been verified
• Treating Base64URL as encryption instead of encoding

Related problems