diff --git a/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java b/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
index 3b5745acc..5b40442b5 100644
--- a/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
+++ b/cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java
@@ -206,8 +206,13 @@ public AccessToken generateToken(CredentialAccessBoundary accessBoundary)
 
     byte[] encryptedRestrictions = this.encryptRestrictions(rawRestrictions, sessionKey);
 
+    // withoutPadding() is used to stay consistent with server-side CAB
+    // withoutPadding() avoids additional URL encoded token issues (i.e. extra equal signs `=` in
+    // the path)
     String tokenValue =
-        intermediateToken + "." + Base64.getUrlEncoder().encodeToString(encryptedRestrictions);
+        intermediateToken
+            + "."
+            + Base64.getUrlEncoder().withoutPadding().encodeToString(encryptedRestrictions);
 
     return new AccessToken(tokenValue, intermediateTokenExpirationTime);
   }
diff --git a/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java b/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java
index 85600041f..eb63c57cd 100644
--- a/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java
+++ b/cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java
@@ -745,6 +745,11 @@ public void generateToken_withAvailablityCondition_success() throws Exception {
     CabToken cabToken = parseCabToken(token);
     assertEquals("accessToken", cabToken.intermediateToken);
 
+    // Base64 encoding output by default has `=` padding at the end if the input length
+    // is not a multiple of 3. Here we verify the use of `withoutPadding` that removes
+    // this padding.
+    assertFalse(cabToken.encryptedRestriction.contains(String.valueOf("=")));
+
     // Checks the encrypted restriction is the correct proto format of the CredentialAccessBoundary.
     ClientSideAccessBoundary clientSideAccessBoundary =
         decryptRestriction(
@@ -795,6 +800,11 @@ public void generateToken_withoutAvailabilityCondition_success() throws Exceptio
     CabToken cabToken = parseCabToken(token);
     assertEquals("accessToken", cabToken.intermediateToken);
 
+    // Base64 encoding output by default has `=` padding at the end if the input length
+    // is not a multiple of 3. Here we verify the use of `withoutPadding` that removes
+    // this padding.
+    assertFalse(cabToken.encryptedRestriction.contains(String.valueOf("=")));
+
     // Checks the encrypted restriction is the correct proto format of the CredentialAccessBoundary.
     ClientSideAccessBoundary clientSideAccessBoundary =
         decryptRestriction(