Toolcroft

Encoding Tools

URL-Safe Base64 Encoder - Base64url Encode & Decode

Encode and decode text using URL-safe Base64 (Base64url, RFC 4648 §5). Handles + → -, / → _, optional padding. Also decodes JWT headers and payloads - fully offline.

What is Base64url?

Base64url (URL-safe Base64) is defined in RFC 4648 §5. It is identical to standard Base64 except:

  • + is replaced with -
  • / is replaced with _
  • Padding (=) is typically omitted

These changes make the output safe to embed in URLs, file names, and HTTP headers without percent-encoding.

Where is Base64url used?

  • JWTs (JSON Web Tokens): header and payload are Base64url-encoded
  • OAuth 2.0 PKCE: code verifier and challenge
  • WebAuthn / FIDO2: challenge and credential IDs
  • URL shorteners: compact binary-to-text IDs
  • Web Crypto API: key export formats

Standard Base64 vs Base64url

FeatureStandard Base64Base64url
Alphabet character +62+-
Alphabet character +63/_
PaddingAlways (=)Usually omitted
URL safeNoYes

JWT Peek tab

The JWT Peek tab decodes a JSON Web Token's header and payload so you can inspect claims like sub, iat, exp, and aud, all without sending the token anywhere.

Important: this tool does not verify the signature. Use server-side JWT libraries for trusted verification.

Anatomy of a JWT

A JSON Web Token consists of three Base64url-encoded segments separated by dots: header.payload.signature. Here is a worked example:

SegmentEncoded (truncated)Decoded JSON
Header eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 {"alg":"HS256","typ":"JWT"}
Payload eyJzdWIiOiIxMjM0IiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMzYwMDB9 {"sub":"1234","iat":1700000000,"exp":1700036000}
Signature SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c HMAC-SHA256 of header + "." + payload; cannot be decoded without the secret

Common standard claims in the payload: sub (subject - user ID), iat (issued-at - Unix timestamp), exp (expiration - Unix timestamp), aud (audience - intended recipient), iss (issuer). Custom claims can be added for application-specific data.