diff --git a/CHANGELOG.md b/CHANGELOG.md
index 3cce8aef..8c4b218c 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,8 +7,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## Unreleased
 ### Added
 
+- support for legacy tokens to ease upgrade path, by [@bradrydzewski](https://github.com/bradrydzewski). [#2713](https://github.com/drone/drone/issues/2713).
+
 ### Fixed
 
+- fix inconsistent base64 encoding and decoding of encrypted secrets, by [@bradrydzewski](https://github.com/bradrydzewski).
+
 ## [1.2.0] - 2019-05-30
 ### Added
 
diff --git a/handler/api/repos/encrypt/encrypt.go b/handler/api/repos/encrypt/encrypt.go
index 55a1aa1c..9c95e990 100644
--- a/handler/api/repos/encrypt/encrypt.go
+++ b/handler/api/repos/encrypt/encrypt.go
@@ -64,7 +64,7 @@ func Handler(repos core.RepositoryStore) http.HandlerFunc {
 		// the encrypted secret is embedded in the yaml
 		// configuration file and is json-encoded for
 		// inclusion as a !binary attribute.
-		encoded := base64.URLEncoding.EncodeToString(encrypted)
+		encoded := base64.StdEncoding.EncodeToString(encrypted)
 
 		render.JSON(w, &respEncrypted{Data: encoded}, 200)
 	}
diff --git a/plugin/secret/external.go b/plugin/secret/external.go
index 1ad6f1ea..b2862706 100644
--- a/plugin/secret/external.go
+++ b/plugin/secret/external.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/drone/drone-yaml/yaml"
 	"github.com/drone/drone/core"
+	"github.com/drone/drone/logger"
 
 	"github.com/drone/drone-go/drone"
 	"github.com/drone/drone-go/plugin/secret"
@@ -37,12 +38,17 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 		return nil, nil
 	}
 
+	logger := logger.FromContext(ctx).
+		WithField("name", in.Name).
+		WithField("kind", "secret")
+
 	// lookup the named secret in the manifest. If the
 	// secret does not exist, return a nil variable,
 	// allowing the next secret controller in the chain
 	// to be invoked.
 	path, name, ok := getExternal(in.Conf, in.Name)
 	if !ok {
+		logger.Trace("secret: external: no matching secret")
 		return nil, nil
 	}
 
@@ -62,6 +68,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 	client := secret.Client(c.endpoint, c.secret, c.skipVerify)
 	res, err := client.Find(ctx, req)
 	if err != nil {
+		logger.Trace("secret: external: cannot get secret")
 		return nil, err
 	}
 
@@ -69,6 +76,7 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 	// this indicates the client returned No Content,
 	// and we should exit with no secret, but no error.
 	if res.Data == "" {
+		logger.Trace("secret: external: secret disabled for pull requests")
 		return nil, nil
 	}
 
@@ -77,9 +85,12 @@ func (c *externalController) Find(ctx context.Context, in *core.SecretArgs) (*co
 	// empty results.
 	if (res.Pull == false && res.PullRequest == false) &&
 		in.Build.Event == core.EventPullRequest {
+			logger.Trace("secret: external: restricted from forks")
 		return nil, nil
 	}
 
+	logger.Trace("secret: external: found matching secret")
+
 	return &core.Secret{
 		Name:        in.Name,
 		Data:        res.Data,