URL-Safe Base64 Encoder/Decoder
Convert Base64 strings to URL-safe format by replacing problematic characters. Perfect for query parameters, filenames, and web APIs.
What is URL-Safe Base64?
URL-safe Base64 is a variant of standard Base64 encoding defined in RFC 4648 Section 5. It modifies 2 characters in the Base64 alphabet: + becomes - and / becomes _. Padding with = is often omitted. This produces output that can be placed directly in URLs, query strings, and filenames without percent-encoding.
Standard Base64 converts binary data into a 64-character ASCII subset. The characters +, /, and = cause problems in URLs because they carry reserved meanings. URL-safe Base64 solves this by substituting those characters while keeping the same underlying encoding logic. You can encode text to standard Base64 and then convert it, or use this tool to encode directly to URL-safe format.
How Does URL-Safe Base64 Differ from Standard Base64?
URL-safe Base64 and standard Base64 differ by exactly 2 alphabet characters and padding behavior. Both encode data identically in all other respects. The 62nd and 63rd characters in the alphabet are swapped, and the = padding character is typically removed. The table below shows the exact character mapping.
| Character | Standard Base64 | URL-Safe Base64 | Reason |
|---|---|---|---|
| 62nd character | + | - | + means space in URL encoding |
| 63rd character | / | _ | / is a path separator in URLs |
| Padding | = | Omitted or = | = is a delimiter in query strings |
Converting between the two formats is mechanical. Replace - with +, _ with /, and re-add = padding until the string length is a multiple of 4. To decode standard Base64 text, use the dedicated decoder after converting back.
What Are the Common Use Cases for URL-Safe Base64?
URL-safe Base64 is used wherever encoded data must travel through URL-based transport without corruption. The 4 most common use cases are JWT tokens, URL query parameters, filename generation, and API token transmission. Each relies on the absence of +, /, and =.
JWT Tokens: JSON Web Tokens encode their header, payload, and signature using URL-safe Base64 without padding, as specified in RFC 7515. Every JWT you see in an Authorization header uses this encoding.
Query Parameters: Standard Base64 in a query string requires percent-encoding of +, /, and =. URL-safe Base64 eliminates this step, reducing string length and avoiding double-encoding errors.
Filenames: The / character is a path separator on Unix and Windows systems. URL-safe Base64 replaces it with _, producing strings that are valid filenames on all major operating systems.
API Keys and Tokens: Many authentication systems generate tokens using URL-safe Base64 to guarantee safe transmission in HTTP headers, cookies, and redirect URLs. You can validate your Base64 strings to confirm correct formatting before use.
How Does URL-Safe Base64 Encoding Work?
URL-safe Base64 encoding converts input bytes to standard Base64 first, then applies 2 character substitutions and optionally removes padding. Decoding reverses the substitutions, restores padding, and converts from Base64 back to the original bytes. The process is lossless.
Encoding steps: The tool reads your input text, converts it to UTF-8 bytes, encodes those bytes to standard Base64, replaces every + with -, replaces every / with _, and strips trailing = characters. The output is a URL-safe string.
Decoding steps: The tool takes the URL-safe Base64 input, replaces every - with +, replaces every _ with /, calculates and appends the required = padding, then decodes from standard Base64 to the original UTF-8 text. You can also convert Base64 to hexadecimal to inspect the raw byte values.
Is This URL-Safe Base64 Tool Private?
This tool runs entirely in your browser using JavaScript. No data is sent to any server during encoding or decoding. The conversion uses the browser's built-in btoa() and atob() functions. Your input text, Base64 strings, and output remain on your device at all times.
There are no server logs, no analytics on input content, and no cookies that store your data. This makes the tool suitable for encoding sensitive values such as API keys, authentication tokens, and private identifiers. Browse all Base64 tools for additional client-side encoding and decoding utilities.
Frequently Asked Questions
What is the difference between Base64 and URL-safe Base64?
Standard Base64 uses a 64-character alphabet that includes + and /. URL-safe Base64, defined in RFC 4648 Section 5, replaces + with - and / with _. The padding character = is typically omitted. Only these 2 alphabet characters and padding handling differ; the encoding logic is identical.
Do JWT tokens use URL-safe Base64?
Yes. The JWT specification (RFC 7519) requires that the header, payload, and signature are each encoded with URL-safe Base64 without padding. This is called base64url encoding. Every JWT string you encounter, for example in an Authorization: Bearer header, uses this format.
Can URL-safe Base64 be decoded back to standard Base64?
Yes. Replace every - with +, every _ with /, and append = characters until the total length is a multiple of 4. The result is a valid standard Base64 string that decodes to the same binary data. The conversion is deterministic and reversible.
Is URL-safe Base64 encoding reversible?
Yes. URL-safe Base64 is a lossless, bijective encoding. Every unique input produces a unique output, and every valid URL-safe Base64 string decodes to exactly one original byte sequence. No information is lost during encoding or decoding.