diff --git a/oauth3.core.js b/oauth3.core.js
index ae76dce..6a29acb 100644
--- a/oauth3.core.js
+++ b/oauth3.core.js
@@ -64,6 +64,8 @@
     return argsParsed;
   };
 
+  // these might not really belong in core... not sure
+  // there should be node.js- and browser-specific versions probably
   core.utils = {
     urlSafeBase64ToBase64: function (b64) {
       // URL-safe Base64 to Base64
@@ -95,17 +97,19 @@
       return {
         header: JSON.parse(jsons[0])
       , payload: JSON.parse(jsons[1])
-      , signature: parts[2]
+      , signature: parts[2] // should remain url-safe base64
       };
     }
     // encode-only (no signature)
   , encode: function (parts) {
       parts.header = parts.header || { alg: 'none', typ: 'jwt' };
       parts.signature = parts.signature || '';
+
+      var btoa = exports.btoa || require('btoa');
       var result = [
-        core.utils.base64ToUrlSafeBase64(JSON.stringify(parts.header, null))
-      , core.utils.base64ToUrlSafeBase64(JSON.stringify(parts.payload, null))
-      , parts.signature
+        core.utils.base64ToUrlSafeBase64(btoa(JSON.stringify(parts.header, null)))
+      , core.utils.base64ToUrlSafeBase64(btoa(JSON.stringify(parts.payload, null)))
+      , parts.signature // should already be url-safe base64
       ].join('.');
 
       return result;