Base64url vs Base64: what’s the difference (JWT-friendly encoding)

Base64url (also written as Base64URL) is a URL-safe variant of Base64. It exists because “normal” Base64 uses characters like + and / that often need escaping in URLs, cookies, and filenames.

Quick summary

Topic	Base64	Base64url
Alphabet	Uses + and /	Uses - and _
Padding	Commonly ends with = or ==	Often omits padding (JWT does)
Where you’ll see it	Data URIs, file encoding, email/MIME, generic tooling	JWT segments, URL tokens, cookie-safe values

Character mapping

• Replace + with -
• Replace / with _
• For JWTs, remove trailing = padding

Examples

Base64 vs Base64url strings (same bytes)

Base64:    abcd+efg/hij==
Base64url: abcd-efg_hij

The underlying bytes are the same. The difference is purely the alphabet and padding.

JWTs use Base64url

A JWT is three Base64url-encoded parts separated by dots:

header.payload.signature

Common pitfalls

• Padding errors: some decoders require padding. If you’re decoding a JWT segment manually, you may need to add back = until the length is a multiple of 4.
• Mixing alphabets: using +// in a JWT segment is a sign it’s not Base64url.
• Assuming it’s encryption: Base64/Base64url is encoding, not secrecy.

Try it instantly

• Base64 Encoder & Decoder (toggle URL-safe mode)
• JWT Decoder (decode header/payload and inspect claims)

Related

• What is Base64?
• JWT claims explained
• All tools