A virtual teacher who reveals to you the great secrets of Base64

Base64URL

Base64URL is a modification of the main Base64 standard, the purpose of which is the ability to use the encoding result as filename or URL address. The Base64URL is described in RFC 4648 § 5, where it is mentioned that the standard Base64 alphabet contains invalid characters for URLs and filenames.

The first problem is that the main standard uses “+” as the 62rd character and “=” as padding character. Both characters have a special meaning in the URI address: “+” is interpreted as space, while “=” is used to send data via query string as “key=value” pair. As you understand, using these symbols may lead to various errors.

The second problem — the main standard uses “/” as the 63rd character, which both for URL addresses and for file system locations, represents the directory separator. Therefore in this case errors are guaranteed.

To avoid the errors above, it was proposed to use a “safe alphabet” for URL addresses and filenames. Thus, the Base64URL was born. It uses the same algorithm as the main standard, but differs in the following:

  • Replaces “+” by “-” (minus)
  • Replaces “/” by “_” (underline)
  • Does not require a padding character
  • Forbids line separators

For example, the main standard will encode <<???>> to PDw/Pz8+Pg== while Base64URL will convert it to PDw_Pz8-Pg. As you can see, only special characters have been changed, while the letters and digits have remained intact.

If you want to see it in action, check the following tools:

This page would be incomplete without Base64URL characters table. So, meet it:

Uppercase Letters
IndexCharacter
0A
1B
2C
3D
4E
5F
6G
7H
8I
9J
10K
11L
12M
13N
14O
15P
16Q
17R
18S
19T
20U
21V
22W
23X
24Y
25Z
Lowercase Letters
IndexCharacter
26a
27b
28c
29d
30e
31f
32g
33h
34i
35j
36k
37l
38m
39n
40o
41p
42q
43r
44s
45t
46u
47v
48w
49x
50y
51z
Digits
IndexCharacter
520
531
542
553
564
575
586
597
608
619
Symbols
IndexCharacter
62-
63_

Given all of the above, a Base64URL value can be defined using the following regular expression:

^[A-Za-z0-9_-]+$

I would also like to provide some additional links:

Comments (5)

I hope you enjoy this discussion. In any case, I ask you to join it.

  • Faizul,
    I want to decode some string that I received from app sniffing.

    I will be pleased if you help me to decode such following code:

    abG9nb191cmw=, maHR0cDovLzUxLjE1LjIwOS45MDo4ODAwL2RhdGEvaW1nL2ZpbGVzLzU2NjU5X2FzcG9yLmpwZw==

    Please let me know how to decode the above-mentioned characters.

    Thanks
    • Zaidan,
      Found one kinda look like that while reversing android apk, thought it was Base64 but turns out it was AES256 encryption.
      So that might be AES256
  • DavidSpector,
    This is a great standard, and one that is overdue. But those responsible for JavaScript and PHP (at least), need to add it to their languages so programmers can learn about this and use it directly.
    • cs32,
      @DavidSpector, it would be convenient to have built-in base64url methods in PHP / JS, but, frankly, implementing them is very trivial:

      PHP:
      php
      function base64url($str) {
          return str_replace(['+','/','='], ['-','_',''], base64_encode($str));
      }
      // decode base64url encoded data
      function unbase64url($str) {
          return base64_decode(str_replace(['-','_'], ['+','/'], $str));
      }


      JS:
      js
      function base64url(str) {
          return btoa(str).replace(/=+$/,'').replace(/\+/g,'-').replace(/\//g,'_');
      }
      function unbase64url(str) {
          return atob(str.replace(/-/g,'+').replace(/_/g,'/'));
      }
      • Slay,
        @cs32,
        it's was wrong:

        // decode base64url encoded data
        function unbase64url($str) {
            return base64_decode(str_replace(['-','_'], ['+','/'], $str));



        so is correct:

        function unbase64url($str) {
            return base64_decode(str_replace(['-','_'], ['+','/'], base64_decode($str));
        }
Add new comment

If you have any questions, remarks, need help, or just like this page, please feel free to let me know by leaving a comment using the form bellow.
I will be happy to read every comment and, if necessary, I will do my best to respond as quickly as possible. Of course, spammers are welcome only as readers.