diff --git a/supabase/functions/cancel-email-change/index.ts b/supabase/functions/cancel-email-change/index.ts
index 5b731b23..7aa4f125 100644
--- a/supabase/functions/cancel-email-change/index.ts
+++ b/supabase/functions/cancel-email-change/index.ts
@@ -1,17 +1,24 @@
 import { createClient } from 'https://esm.sh/@supabase/supabase-js@2.57.4';
+import { decode as base64Decode } from "https://deno.land/std@0.190.0/encoding/base64.ts";
 
 const corsHeaders = {
   'Access-Control-Allow-Origin': '*',
   'Access-Control-Allow-Headers': 'authorization, x-client-info, apikey, content-type',
 };
 
-// Helper function to decode JWT and extract user ID
+// Helper function to decode JWT and extract user ID using secure base64 decoding
 function decodeJWT(token: string): { sub: string } | null {
   try {
     const parts = token.split('.');
     if (parts.length !== 3) return null;
     
-    const payload = JSON.parse(atob(parts[1]));
+    // JWT uses base64url encoding, convert to standard base64
+    const base64 = parts[1].replace(/-/g, '+').replace(/_/g, '/');
+    const padding = '='.repeat((4 - base64.length % 4) % 4);
+    
+    // Decode using Deno's standard library instead of browser-specific atob
+    const decoded = new TextDecoder().decode(base64Decode(base64 + padding));
+    const payload = JSON.parse(decoded);
     return payload;
   } catch (error) {
     console.error('JWT decode error:', error);