How to Decode Base64 Strings (and JWT Payloads)

Base64 is reversible encoding, not encryption. Decode it in one step, handle Unicode correctly, and read JWT sections that use Base64url.

What Base64 actually is

Base64 maps binary data to 64 printable ASCII characters. It is fully reversible with no key, so it is encoding, not encryption — never use it to hide secrets.

Decoding and encoding

In the browser, encode with btoa and decode with atob. For non-ASCII text, round-trip through UTF-8 so characters like é, ü, or 你 survive instead of becoming garbled bytes.

Reading a JWT

A JWT is three Base64url sections joined by dots: header, payload, and signature. Decode the first two to read the claims. The signature is binary and is not meant to be human-readable.

Base64 vs Base64url

Standard Base64 uses + and / with = padding. URL-safe Base64url replaces them with - and _ and drops padding so the value is safe inside URLs and JWTs.

Decoding is not the same as verifying

Decoding a JWT reveals the claims but says nothing about authenticity. Anyone can forge a token whose payload says "role":"admin"; only the signature, verified against the issuer's key, proves the token is real. Never make a trust decision on an unverified token.

Common JWT claims and their meaning

iss is the issuer, sub the subject (user id), aud the intended audience, exp the expiry (Unix seconds), iat the issue time, nbf 'not before', and jti a unique id. Custom claims live alongside these. Always check exp and aud server-side, not just on the client.

Padding and url-safe variants

Base64url often arrives without = padding. To decode in code, pad the length up to a multiple of 4 with =, then swap - for + and _ for /, then run a normal Base64 decoder. Browsers' atob does not accept Base64url directly — the conversion has to happen first.

See also

This guide handles one format boundary. The hub lists every JSON ↔ neighbor-format conversion with its standard and edge cases.

JSON interop — YAML, CSV, XML, JWT, Schema
Open JSON FixCompare JSON changes

JSON repair guides

Topic hubs

  1. JSON Parse Errors: Read the Message, Jump to the Fix
  2. Fix Invalid JSON: From 'What's Wrong' to a Clean File
  3. JSON Formatter, Validator, Viewer: Pick the Right Tool
  4. Repair LLM JSON Output: Handling Almost-JSON from AI
  5. Privacy: JSON Tools That Don't Leave Your Browser
  6. JSON Interop: YAML, CSV, XML, JWT, Schema

Specific guides

  1. URL Encoding: Percent-Encode Query Parameters and Paths
  2. Convert YAML to JSON (and Avoid Indentation Errors)
  3. Convert JSON to CSV: Flatten an Array of Objects
  4. Convert JSON to XML: Root Elements, Attributes, and Arrays
  5. Escape JSON as a String Literal (and Decode Double-Encoded JSON)
  6. Fix Trailing Comma in JSON
  7. Fix Single Quotes in JSON
  8. Fix Unquoted Keys in JSON
  9. Repair LLM JSON Output
  10. Fix JSON Parse Error: Expected Property Name
  11. JSON vs JS Object Literal: The Key Differences
  12. Validate JSON Before API Requests
  13. JSON Formatter vs JSON Repair
  14. Fix JSON Unexpected Token Errors
  15. JSON to JavaScript Object Converter