Why atob() Fails on JWTs and How to Fix the Base64URL Mismatch
JavaScript's atob() function only supports standard Base64 and will throw a DOMException when given Base64URL strings, which are commonly found in JWTs, OAuth tokens, and signed URLs. The two formats differ in three characters: Base64URL replaces '+' with '-' and '/' with '_', and omits the trailing '=' padding to ensure safe use in URLs and filenames. Developers can fix this by converting Base64URL back to standard Base64 before decoding — swapping the characters and re-adding padding until the string length is a multiple of four. On the server side, Node.js 14.18 and above offers a native 'base64url' encoding option via the Buffer API, eliminating the need for manual conversion. It is also worth noting that Base64 is an encoding scheme, not encryption, meaning JWT payloads are trivially readable and should never contain sensitive secrets.
This is an AI-generated summary. ShortSingh links to the original source for the complete article.
Discussion (0)
Log in to join the discussion and vote.
Log in