URL-Safe Base64 Encoder - Free, No Sign-Up
Overview
Standard Base64 uses + and / characters that break URL parsing and must be percent-encoded in query strings. URL-safe Base64 (Base64url, defined in RFC 4648 Section 5) replaces + with - and / with _, making the string safe to use directly in URLs, HTTP headers, JWTs, and OAuth state parameters without any extra encoding.
How to Use This Tool
Paste text or an existing standard Base64 string. Enable URL-safe mode with the toggle. The encoder outputs Base64url with padding stripped. To convert an existing standard Base64 string, paste it and switch to URL-safe mode rather than re-encoding from raw text.
Ready to get started? It's free, no registration required, and your files never leave your device.
PDF Tool →Frequently Asked Questions
Why do JWTs use URL-safe Base64?
JWTs are often passed in URL query strings, Authorization headers, and cookies. Standard Base64 characters like + and / cause parsing errors in URLs. Base64url avoids this by using - and _ instead, making the entire token URL-safe without percent-encoding.
Should I include padding (== at the end) in a Base64url string?
Typically no. Most JWT and OAuth implementations strip padding and add it back when needed. Padding characters (=) are also problematic in URLs. RFC 7515 (JWS) explicitly mandates no padding in JWT segments.
What is the difference between Base64 and Base64url?
They use the same 64-character alphabet except for two characters: standard Base64 uses + and /, while Base64url uses - and _. Base64url also omits trailing = padding. Everything else, including the encoding math, is identical.