Welcome to the Atlassian developer community @AnthonyGriffiths,
The authorization code is a type of Atlassian security token, we consider to be opaque; hence, clients cannot depend on their size, structure, or format. That said, yes, both the length and encoding (looks like JWT to me) are normal for the current OAuth 2.0 implementation. Was there an implication of this length that concerns you?