SShortSingh.
Back to feed

Why atob() Fails on JWTs and How to Fix the Base64URL Mismatch

0
·1 views

JavaScript's atob() function only supports standard Base64 and will throw a DOMException when given Base64URL strings, which are commonly found in JWTs, OAuth tokens, and signed URLs. The two formats differ in three characters: Base64URL replaces '+' with '-' and '/' with '_', and omits the trailing '=' padding to ensure safe use in URLs and filenames. Developers can fix this by converting Base64URL back to standard Base64 before decoding — swapping the characters and re-adding padding until the string length is a multiple of four. On the server side, Node.js 14.18 and above offers a native 'base64url' encoding option via the Buffer API, eliminating the need for manual conversion. It is also worth noting that Base64 is an encoding scheme, not encryption, meaning JWT payloads are trivially readable and should never contain sensitive secrets.

Read the full story at DEV Community

This is an AI-generated summary. ShortSingh links to the original source for the complete article.

Discussion (0)

Log in to join the discussion and vote.

Log in

Related stories

0
ProgrammingDEV Community ·

How to Build a Basic AI Research Agent Using LangChain and Python

A hands-on tutorial published on DEV Community walks developers through building a functional AI research agent using LangChain, Python, and the OpenAI API. The agent is designed to accept a topic as input, search the web for relevant information, and return structured answers. The guide covers setting up a virtual environment, integrating tools like DuckDuckGo search and Wikipedia, and using OpenAI's language model as the agent's reasoning engine. It also addresses adding conversational memory so the agent retains context across interactions, and recommends best practices such as capping iterations and handling errors gracefully. The tutorial targets beginners with basic Python knowledge and requires no prior expertise in AI development.

0
ProgrammingDEV Community ·

7 VS Code Extensions in 2026 That Can Speed Up Your Development Workflow

A developer on DEV Community has published a follow-up list of seven Visual Studio Code extensions recommended for 2026, inspired by community feedback on a previous post. The list includes tools such as Import Cost for tracking package sizes, Auto Rename Tag for HTML and JSX editing, and GitLens for inline Git blame annotations. Other highlighted extensions cover in-editor API testing via REST Client, code-aware spell checking, and TODO comment tracking through Todo Tree. Better Comments rounds out the list by color-coding annotations to improve code readability. The compilation targets developers looking to reduce context-switching and catch common errors without leaving their editor.

0
ProgrammingDEV Community ·

Hybrid Retrieval with RRF Raises RAG System Precision to 100% in Production

A software developer building a production RAG system called ContextQuery found that standard semantic search alone hit a retrieval precision ceiling of 72%, failing on exact keyword queries and short, specific inputs. To fix this, they combined semantic vector search using NVIDIA NIM embeddings with BM25 keyword-based retrieval, then merged the results using Reciprocal Rank Fusion (RRF). RRF works by scoring each retrieved chunk based on its rank across both retrievers, rewarding chunks that appear consistently in both result sets rather than topping just one. The approach required no additional machine learning models — only a mathematical formula applied on top of the existing retrieval infrastructure. After implementing hybrid retrieval with RRF, the developer reported achieving 100% retrieval precision on their evaluation runs.

0
ProgrammingDEV Community ·

5 Open-Source Tools That Replace Costly Software Subscriptions

A roundup of five free, open-source alternatives to premium software tools has been highlighted for developers and teams looking to cut costs. The list includes a Postgres-based platform with built-in authentication and real-time features, and a self-hostable product analytics tool offering session replays and feature flags. A customizable scheduling infrastructure, an all-in-one backend solution deployable via Docker, and a design-and-prototyping platform with native CSS and SVG support are also featured. These tools are positioned as viable replacements for expensive paid services, with several offering self-hosting options for greater data privacy and control.

Why atob() Fails on JWTs and How to Fix the Base64URL Mismatch · ShortSingh