Quick reference for developers.
Base64, URL encoding, HTML entities, JWT structure, and Unicode escapes in one page.
Need the live tools? Use Base64Decode for instant encoding and decoding,
or jump straight to the JWT Decoder.
Base64 Encoding
Alphabet
A-Z (0-25) a-z (26-51) 0-9 (52-61) + (62) / (63)
Padding: =
How It Works
- Take 3 bytes (24 bits) of input.
- Split them into 4 groups of 6 bits.
- Map each 6-bit value to the Base64 alphabet.
- If the input is not divisible by 3, pad with
=.
Padding Rules
| Input bytes mod 3 | Padding |
|---|
| 0 (exact multiple) | No padding |
| 1 (1 byte remainder) | == |
| 2 (2 byte remainder) | = |
Size: Output is about 33% larger than the input.
Variants
| Variant | + replaced | / replaced | Padding | Use Case |
|---|
| Standard (RFC 4648) | + | / | = | Email (MIME), PEM |
| URL-safe (RFC 4648 §5) | - | _ | Optional | URLs, filenames, JWT |
| MIME (RFC 2045) | + | / | = | Email, max 76 chars per line |
Quick Examples
| Input | Base64 |
|---|
Hello | SGVsbG8= |
Hello! | SGVsbG8h |
A | QQ== |
AB | QUI= |
ABC | QUJD |
URL Encoding (Percent-Encoding)
Rules
- Unreserved characters pass through:
A-Z a-z 0-9 - _ . ~
- Everything else becomes
%XX, the hexadecimal value of each byte.
- Spaces become
%20 or + in application/x-www-form-urlencoded.
Common Encodings
| Character | Encoded | Notes |
|---|
| (space) | %20 or + | + only in form-encoded data |
! | %21 | |
# | %23 | Fragment identifier |
$ | %24 | |
% | %25 | Escape the escape character itself |
& | %26 | Query parameter separator |
+ | %2B | |
/ | %2F | Path separator |
= | %3D | Key-value separator |
? | %3F | Query string start |
@ | %40 | |
é | %C3%A9 | UTF-8 multi-byte sequence |
€ | %E2%82%AC | UTF-8 3-byte sequence |
HTML Entities
Named Entities (Most Common)
| Character | Entity | Numeric |
|---|
< | < | < |
> | > | > |
& | & | & |
" | " | " |
' | ' | ' |
| Space (non-breaking) | |   |
© | © | © |
® | ® | ® |
™ | ™ | ™ |
— | — | — |
– | – | – |
€ | € | € |
£ | £ | £ |
¥ | ¥ | ¥ |
Numeric entity formats: &#DDD; for decimal and &#xHHH; for hexadecimal.
JWT (JSON Web Token)
Structure
header.payload.signature
↓ ↓ ↓
Base64url Base64url Base64url
Header (typical)
{
"alg": "HS256",
"typ": "JWT"
}
Common Algorithms
| Code | Algorithm | Type |
|---|
HS256 | HMAC-SHA256 | Symmetric (shared secret) |
HS384 | HMAC-SHA384 | Symmetric |
HS512 | HMAC-SHA512 | Symmetric |
RS256 | RSA-SHA256 | Asymmetric (public/private key) |
RS512 | RSA-SHA512 | Asymmetric |
ES256 | ECDSA-SHA256 | Asymmetric (elliptic curve) |
PS256 | RSA-PSS-SHA256 | Asymmetric |
none | No signature | Never use in production |
Standard Claims
| Claim | Name | Type | Example |
|---|
iss | Issuer | string | "auth.example.com" |
sub | Subject | string | "user:12345" |
aud | Audience | string or array | "api.example.com" |
exp | Expiration | number (epoch) | 1735689600 |
nbf | Not Before | number (epoch) | 1735603200 |
iat | Issued At | number (epoch) | 1735603200 |
jti | JWT ID | string | "abc-123-def" |
Debugging Tips
- Open the JWT Decoder and inspect the token parts separately.
- Check the
exp claim first because many auth failures are just expired tokens.
- Verify that
aud matches the API or service that is rejecting the token.
- Never trust
alg: none; always validate the algorithm server-side.
Unicode Escapes
| Format | Example (é = U+00E9) | Used In |
|---|
\uXXXX | \u00E9 | JavaScript, JSON |
\UXXXXXXXX | \U000000E9 | Python, C |
\xHH | \xC3\xA9 (UTF-8 bytes) | Hex escapes |
&#xHH; | é | HTML |
%XX | %C3%A9 | URL encoding |
Use the live tools: Encode and decode on Base64Decode
More references: Browse all cheat sheets