InvalidCharacterError: The string to be decoded is not correctly encoded (base64url): what it means and how to fix it

TL;DR: Validate locally, fix the first real error, validate again (no upload).

Fix InvalidCharacterError: The string to be decoded is not correctly encoded (base64url) by decoding safely and locally (no upload).

Guides by runtime Node.js guides

What the error means

InvalidCharacterError: The string to be decoded is not correctly encoded (base64url) means a decoder rejected the input as invalid encoding. The fastest path is to identify what format you have, normalize it, then decode again.

Most common real-world causes

The input contains non-Base64 characters, wrong alphabet (Base64URL), or missing padding ('=').
The input is not actually encoded in the expected format (Base64 vs Base64URL vs plain text).
You copied only part of the string (truncated token/payload).
Whitespace/newlines were introduced during copy/paste.
Wrong character set: URL-safe Base64 uses '-' and '_' instead of '+' and '/'.
You decoded using the wrong function (decodeURIComponent on non-URL-encoded data, atob on non-Base64).

Fast debugging steps

Normalize Base64URL (replace '-'/'_' and add padding) before decoding.
Confirm what you are decoding (URL encoding, Base64, Base64URL, JWT).
Trim whitespace and remove line breaks before decoding.
If it's a JWT, ensure it has 3 dot-separated parts (header.payload.signature).
If it's Base64URL, convert '-' -> '+' and '_' -> '/' and add padding if needed.

Code example (javascript)

// Base64URL -> Base64 (browser)
const cleaned = input.trim().replace(/\s+/g, '');
const normalized = cleaned.replace(/-/g, '+').replace(/_/g, '/');
const padded = normalized.padEnd(Math.ceil(normalized.length / 4) * 4, '=');
console.log(atob(padded));

Fix without uploading data

Encoded strings often contain secrets (tokens, IDs). Decode locally and share only redacted snippets.

URL Encode/Decode for percent-encoding.
Base64 Encode/Decode for Base64/Base64URL payloads.
JWT Decoder to inspect header/payload without uploads.

FAQ

Is Base64 the same as Base64URL? No. Base64URL uses '-' and '_' and often omits padding. Normalize before decoding.

Does decoding a JWT verify it? No. Decoding shows claims; verification requires the signing key.

Next steps

Related tools

Base64 Encode/Decode URL Encode/Decode Query string ↔ JSON JWT Decoder

Related guides

URL encoding explained Decode Base64 without uploading Encode Base64 without uploading Base64URL vs Base64 Base64URL → Base64 convert Base64 padding (=) explained atob/btoa explained Decode JWT without uploading

Related by intent

Node.js: Remove whitespace/newlines from Base64URL safely Node.js: Decode Base64URL without padding (JWT-style) Node.js: Decode Base64URL to JSON safely Node.js: convert Base64URL to Base64 safely

Privacy & Security

All processing happens locally in your browser. Files are never uploaded.