PHP: Decode Base64URL to JSON safely
TL;DR: Validate locally, fix the first real error, validate again (no upload).
Handle PHP: Decode Base64URL to JSON safely with a repeatable Base64URL workflow: normalize alphabet, fix padding, decode locally, and validate.
Base64URL quick map
| Rule | Base64 | Base64URL |
|---|---|---|
| Alphabet | +, / | -, _ |
| Padding | Often has = | Often omits = |
| Typical use | General binary transport | URLs, JWT segments |
Focus for this query
- If this value came from a URL parameter, URL-decode first, then normalize Base64URL.
Safe decode workflow
- Remove whitespace/newlines.
- Normalize alphabet:
-→+,_→/. - Add padding so length % 4 == 0.
- Decode locally and validate output shape (JSON/text/binary).
Runtime snippet (generic)
function base64urlToBase64(input) {
const s = String(input || '').replace(/\s+/g, '').replace(/-/g, '+').replace(/_/g, '/');
return s + '='.repeat((4 - (s.length % 4)) % 4);
}
const b64 = base64urlToBase64(token);
const bytes = Uint8Array.from(atob(b64), (c) => c.charCodeAt(0));
const text = new TextDecoder().decode(bytes);
console.log(text);Frequent failures
- Invalid character from copy/paste noise or wrong alphabet.
- Missing padding when decoder expects canonical Base64.
- JSON parse after decode fails when payload is not JSON/text.
Privacy guardrail
Base64/Base64URL strings can still contain secrets. Decode locally, redact sensitive fields, and only then share snippets.
FAQ
Is anything uploaded to a server? No. All processing happens locally in your browser. Files are never uploaded.
What is the recommended workflow? Validate the input, fix the first real issue, validate again, then export/convert. This avoids compounding errors.
Related tools
Related guides
Privacy & Security
All processing happens locally in your browser. Files are never uploaded.