diff --git a/src/middleware.test.ts b/src/middleware.test.ts
index 61064e7..91e27ab 100644
--- a/src/middleware.test.ts
+++ b/src/middleware.test.ts
@@ -146,12 +146,11 @@ describe('middleware', () => {
         jest.useRealTimers();
     });
 
-    const previewToken = 'eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpc3MiOiJodHRwczovL2Nyb2N0LmlvIiwi'
-        + 'YXVkIjoiaHR0cHM6Ly9jcm9jdC5pbyIsImlhdCI6MTQ0MDk3OTEwMCwiZXhwIjoxNDQwOTc5M'
-        + 'jAwLCJtZXRhZGF0YSI6eyJleHBlcmllbmNlTmFtZSI6IkRldmVsb3BlcnMgZXhwZXJpZW5jZS'
-        + 'IsImV4cGVyaW1lbnROYW1lIjoiRGV2ZWxvcGVycyBleHBlcmltZW50IiwiYXVkaWVuY2VOYW1l'
-        + 'IjoiRGV2ZWxvcGVycyBhdWRpZW5jZSIsInZhcmlhbnROYW1lIjoiSmF2YVNjcmlwdCBEZXZlbG'
-        + '9wZXJzIn19.';
+    const previewToken = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2Nyb2N0LmlvIiwiYXVkIjoiaHR0cH'
+       + 'M6Ly9jcm9jdC5pbyIsImlhdCI6MTQ0MDk3OTEwMCwiZXhwIjoxNDQwOTc5MjAwLCJtZXRhZGF0YSI6eyJleHBlcmllbmN'
+       + 'lTmFtZSI6IkRldmVsb3BlcnMgZXhwZXJpZW5jZSIsImV4cGVyaW1lbnROYW1lIjoiRGV2ZWxvcGVycyBleHBlcmltZW50'
+       + 'IiwiYXVkaWVuY2VOYW1lIjoi8J-RqOKAjfCfkrsgRGV2ZWxvcGVycyBhdWRpZW5jZSIsInZhcmlhbnROYW1lIjoiSmF2Y'
+       + 'VNjcmlwdCBEZXZlbG9wZXJzIn19.ZmfcfhPoxFs0cY86ixGBCDab3rPSMoUG4cboWX0NEOY';
 
     const UUID_PATTERN = /^[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}$/;
 
diff --git a/src/middleware.ts b/src/middleware.ts
index 6fd0714..7b152b5 100644
--- a/src/middleware.ts
+++ b/src/middleware.ts
@@ -1,7 +1,8 @@
-import {NextRequest, NextMiddleware, NextResponse} from 'next/server';
+import {NextMiddleware, NextRequest, NextResponse} from 'next/server';
 import cookie from 'cookie';
 import {v4 as uuidv4} from 'uuid';
 import {Token} from '@croct/sdk/token';
+import {base64UrlDecode} from '@croct/sdk/base64Url';
 import {Header, QueryParameter} from '@/config/http';
 import {
     CookieOptions,
@@ -181,7 +182,7 @@ function isPreviewTokenValid(token: unknown): token is string {
     const now = Math.floor(Date.now() / 1000);
 
     try {
-        const payload = JSON.parse(atob(token.split('.')[1]).toString());
+        const payload = JSON.parse(base64UrlDecode(token.split('.')[1]).toString());
 
         return Number.isInteger(payload.exp) && payload.exp > now;
     } catch {