Base64 URL-Safe Encoding Explained

June 11, 2026·4 min read

Standard Base64 uses +, /, and = — three characters that cause problems in URLs. URL-safe Base64 (often called base64url) fixes that.

The problem

In a URL, + can mean a space, / is a path separator, and = is used in query strings. Putting raw Base64 in a URL or filename can corrupt it.

The fix

URL-safe Base64 makes two substitutions and one removal:

StandardURL-safe
+-
/_
= paddingremoved

So a+b/c== becomes a-b_c.

Where it's used

The biggest example is JWTs. Every segment of a JSON Web Token is base64url-encoded, which is why tokens are safe to put in URLs and HTTP headers.

Converting in code

// to url-safe
const safe = b64.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');

// back to standard (re-add padding)
let std = safe.replace(/-/g, '+').replace(/_/g, '/');
while (std.length % 4) std += '=';

Decoding base64url

When decoding, always convert back to standard first and restore padding, or your decoder will fail on the - and _ characters.

Try it

The Base64 tool handles both standard and URL-safe variants. For tokens specifically, the JWT decoder does the base64url decoding automatically.

Got a config file to check?

Open the config toolkit →

Keep reading

Common Regex Patterns: Email, URL, Phone & More5 min read →encodeURIComponent vs encodeURI: What's the Difference?4 min read →