Encoding and tokens

Base64, Base64URL, and JWT encoding explained

An encoding workflow that prevents alphabet and byte mistakes and never confuses readable JWT claims with verified identity.

Base64 represents bytes as text; it does not encrypt them. Base64URL changes the alphabet for URL-safe contexts and often omits padding, as JWT segments commonly do.

Start from bytes and the right alphabet

Encode text to UTF-8 bytes first. Standard Base64 uses + and /, while Base64URL uses - and _. Add or remove padding only according to the receiving protocol.

Do not mix encoding layers

Percent-encoding protects URL components and is separate from Base64URL. Repeated encoding or decoding can corrupt separators, Unicode, or binary data.

Treat JWT decoding as inspection

JWT header and payload segments are readable Base64URL JSON, but trust requires verification of the signature, algorithm, issuer, audience, time claims, and authorization policy.

Base64 and JWT checklist

  • Identify the original byte encoding
  • Choose Base64 or Base64URL explicitly
  • Handle padding according to the protocol
  • Avoid accidental double encoding
  • Verify JWT signatures and claims separately

Related guides

Learn the workflow behind this tool and what to check next.

Related tools