illegal base64 data at input char (RawURLEncoding): what it means and how to fix it

TL;DR: Validate locally, fix the first real error, validate again (no upload).

Fix illegal base64 data at input char (RawURLEncoding) by decoding safely and locally (no upload).

What the error means

illegal base64 data at input char (RawURLEncoding) means a decoder rejected the input as invalid encoding. The fastest path is to identify what format you have, normalize it, then decode again.

Most common real-world causes

The input contains non-Base64 characters, wrong alphabet (Base64URL), or missing padding ('=').
The input is not actually encoded in the expected format (Base64 vs Base64URL vs plain text).
You copied only part of the string (truncated token/payload).
Whitespace/newlines were introduced during copy/paste.
Wrong character set: URL-safe Base64 uses '-' and '_' instead of '+' and '/'.
You decoded using the wrong function (decodeURIComponent on non-URL-encoded data, atob on non-Base64).

Fast debugging steps

Normalize Base64URL (replace '-'/'_' and add padding) before decoding.
Confirm what you are decoding (URL encoding, Base64, Base64URL, JWT).
Trim whitespace and remove line breaks before decoding.
If it's a JWT, ensure it has 3 dot-separated parts (header.payload.signature).
If it's Base64URL, convert '-' -> '+' and '_' -> '/' and add padding if needed.

Code example (go)

import (
  "encoding/base64"
  "strings"
)

s := strings.TrimSpace(input)
// Base64URL -> Base64
s = strings.NewReplacer("-", "+", "_", "/").Replace(s)
for len(s)%4 != 0 { s += "=" }

b, err := base64.StdEncoding.DecodeString(s)
if err != nil {
  // e.g. "illegal base64 data at input char"
  panic(err)
}
_ = b

Fix without uploading data

Encoded strings often contain secrets (tokens, IDs). Decode locally and share only redacted snippets.

URL Encode/Decode for percent-encoding.
Base64 Encode/Decode for Base64/Base64URL payloads.
JWT Decoder to inspect header/payload without uploads.

FAQ

Is Base64 the same as Base64URL? No. Base64URL uses '-' and '_' and often omits padding. Normalize before decoding.

Does decoding a JWT verify it? No. Decoding shows claims; verification requires the signing key.

Next steps

Related tools

Base64 Encode/Decode URL Encode/Decode Query string ↔ JSON JWT Decoder

Related guides

URL encoding explained Decode Base64 without uploading Encode Base64 without uploading Base64URL vs Base64 Base64URL → Base64 convert Base64 padding (=) explained atob/btoa explained Decode JWT without uploading

Related by intent

Go: convert Base64URL to Base64 safely Go: decode Base64URL with RawURLEncoding (JWT-safe) Base64url vs base64: go testing playbook Go: Migration from Base64URL to standard Base64

Privacy & Security

All processing happens locally in your browser. Files are never uploaded.