JWTs, OAuth tokens, and modern APIs almost always use URL-safe Base64. Here's what it is, how it differs from standard Base64, and how to convert between them.
Standard Base64 uses two characters that have special meaning on the web: + and /. In a URL, + can be interpreted as a space, and / separates path segments. If you put a standard Base64 string into a URL, it may get mangled by web servers, proxies, or browsers before it reaches your code.
URL-safe Base64 (defined in RFC 4648 §5) swaps those two characters out:
| Standard | URL-safe |
|---|---|
+ | - (hyphen) |
/ | _ (underscore) |
= padding | often omitted |
Both hyphen and underscore are URL-safe in every context — paths, query strings, fragments, filenames. The character set is otherwise identical.
The = character is technically URL-safe, but it's often dropped from URL-safe Base64 anyway. JWTs drop it. base64url in most languages drops it. The reason: the padding is redundant — you can always recompute it from the string length. If the length mod 4 is 2, add ==; if it's 3, add =; if it's 0, no padding needed.
This is why JWT tokens look like eyJhbGciOi... with no trailing equals signs.
Our decoder auto-detects standard vs URL-safe and handles missing padding silently. You never need to choose — just paste.
Set-Cookie headers./ means no accidental directory traversal./ would create unintended folder hierarchies in S3.If the string contains - or _, it's URL-safe. If it contains + or /, it's standard. If it contains neither (only letters, digits, and possibly =), it could be either — and any compliant decoder will produce the same output.
If you ever need to convert by hand:
+ with -, / with _, and optionally strip trailing =.- with +, _ with /, and pad with = until the length is a multiple of 4.Mixing variants is the #1 source of "invalid Base64" errors when one system encodes URL-safe and another expects standard. The fix is to normalize before decoding. Almost every modern Base64 library has a "permissive" mode that accepts both — use it unless you have a reason not to.
Paste a JWT into the decoder, with or without the trailing equals signs, and watch it work either way.
Published May 2026 · Last reviewed May 2026. Spot an error? Email contactus@base64decode.tools.