illegal base64 data at input char: what it means and how to fix it

What the error means

illegal base64 data at input char means a decoder rejected the input as invalid encoding. The fastest path is to identify what format you have, normalize it, then decode again.

Most common real-world causes

• The input contains non-Base64 characters, wrong alphabet (Base64URL), or missing padding ('=').
• The input is not actually encoded in the expected format (Base64 vs Base64URL vs plain text).
• You copied only part of the string (truncated token/payload).
• Whitespace/newlines were introduced during copy/paste.
• Wrong character set: URL-safe Base64 uses '-' and '_' instead of '+' and '/'.
• You decoded using the wrong function (decodeURIComponent on non-URL-encoded data, atob on non-Base64).

Fast debugging steps

• Normalize Base64URL (replace '-'/'_' and add padding) before decoding.
• Confirm what you are decoding (URL encoding, Base64, Base64URL, JWT).
• Trim whitespace and remove line breaks before decoding.
• If it's a JWT, ensure it has 3 dot-separated parts (header.payload.signature).
• If it's Base64URL, convert '-' -> '+' and '_' -> '/' and add padding if needed.

Code example (go)

import (
  "encoding/base64"
  "strings"
)

s := strings.TrimSpace(input)
// Base64URL -> Base64
s = strings.NewReplacer("-", "+", "_", "/").Replace(s)
for len(s)%4 != 0 { s += "=" }

b, err := base64.StdEncoding.DecodeString(s)
if err != nil {
  // e.g. "illegal base64 data at input char"
  panic(err)
}
_ = b

Fix without uploading data

Encoded strings often contain secrets (tokens, IDs). Decode locally and share only redacted snippets.

• URL Encode/Decode for percent-encoding.
• Base64 Encode/Decode for Base64/Base64URL payloads.
• JWT Decoder to inspect header/payload without uploads.

FAQ

Is Base64 the same as Base64URL? No. Base64URL uses '-' and '_' and often omits padding. Normalize before decoding.

Does decoding a JWT verify it? No. Decoding shows claims; verification requires the signing key.