Base64May 16, 2026 · 5 min read
Base64 vs Base64URL — Complete Comparison
Developers often confuse Base64 and Base64URL. Using the wrong one causes silent bugs in authentication and API calls. This guide explains the differences clearly.
Quick reference
Use Standard Base64 for:
- → HTTP Basic Authentication headers
- → Email attachments (MIME)
- → Embedding images in HTML/CSS
- → Any non-URL context
Use Base64URL for:
- → JWT tokens (always Base64URL)
- → URL parameters and query strings
- → Email verification links
- → OAuth tokens in URLs
Character differences
| Charset | Standard Base64 | Base64URL |
|---|---|---|
| Uppercase | A-Z | A-Z (same) |
| Lowercase | a-z | a-z (same) |
| Numbers | 0-9 | 0-9 (same) |
| Char 62 | + | - (hyphen) |
| Char 63 | / | _ (underscore) |
| Padding | = | omitted |
How JWT uses Base64URL
JWT tokens always use Base64URL encoding — never standard Base64. This is because JWT tokens are often passed in URLs, Authorization headers and cookies where standard Base64 characters cause issues.
// JWT structure — all parts are Base64URL encoded
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMSJ9.signature
|___________________|.|___________________|.|_________|
header payload signature
// Decode the header (Base64URL → JSON)
// eyJhbGciOiJIUzI1NiJ9
// → {"alg":"HS256"}
// Note: JWT uses Base64URL without padding (no = signs)Detecting which encoding you have
function detectBase64Type(str) {
if (/[+/]/.test(str)) {
return 'standard Base64 (contains + or /)'
}
if (/[-_]/.test(str)) {
return 'Base64URL (contains - or _)'
}
if (str.endsWith('=')) {
return 'standard Base64 (has padding)'
}
return 'could be either (only alphanumeric chars)'
}Encode and decode Base64 instantly
Supports standard Base64 and URL-safe Base64URL with one click switching.
Open Base64 Tool →