Base64 Encoder & Decoder — Online

Encode any text to Base64 or decode any Base64 string back to plain text. Supports UTF-8 and URL-safe Base64. No server, no signup — runs entirely in your browser.

Result will appear here...

What is Base64?

Base64 is an encoding scheme that converts binary or text data into a sequence of 64 printable ASCII characters. It is one of the most widely used encoding formats in web development, security, and data exchange. The name comes from the 64-character alphabet it uses: uppercase letters (A–Z), lowercase letters (a–z), digits (0–9), and the symbols + and /.

Base64 does not encrypt data — it simply represents it in a different form. Its purpose is to safely transmit data over channels that only handle text, like email, HTTP headers, or JSON payloads.

When to Encode to Base64

Embedding Binary Data in Text Formats

JSON, XML, and HTML are text-based formats that cannot contain raw binary data. Base64 encoding lets you embed images, PDFs, or any binary file as a text string inside these formats. For example: data:image/png;base64,iVBOR... in an HTML <img> tag.

HTTP Basic Authentication

The HTTP Authorization header for Basic Auth encodes credentials as Base64: Authorization: Basic dXNlcjpwYXNz. This tool lets you encode username:password pairs to build that header manually during API testing.

Storing Binary Data in Databases

Text-only database columns or configuration files can store binary blobs by encoding them as Base64. This is common for cryptographic keys, certificates, and small images.

When to Decode from Base64

Reading JWT Tokens

JSON Web Tokens are three Base64-encoded sections separated by dots. Decoding the middle section (payload) reveals the claims: user ID, roles, expiration date, and any custom data set by your application.

Inspecting API Credentials

Kubernetes secrets, CI/CD environment variables, and cloud provider credentials are often Base64-encoded. Decoding them is a routine debugging step when diagnosing configuration issues.

URL-safe Base64

Standard Base64 uses + and /, which are reserved characters in URLs. The URL-safe variant replaces them with - and _. Enable the "URL-safe" checkbox to produce output compatible with URL parameters and JWT tokens without additional encoding.

Examples

Encoding

Input:  Hello, World!
Output: SGVsbG8sIFdvcmxkIQ==
Input:  {"user":"alice","role":"admin"}
Output: eyJ1c2VyIjoiYWxpY2UiLCJyb2xlIjoiYWRtaW4ifQ==

Decoding

Input:  dXNlcjpwYXNzd29yZA==
Output: user:password
Input:  SGVsbG8sIFdvcmxkIQ==
Output: Hello, World!

Base64 is not encryption. It is not compression. Here is what it actually does.

Editor’s note — by Amine H., last reviewed 27 May 2026.

Base64 is one of the most misused encodings on the web. It does not encrypt anything. It does not make text “safer” in any cryptographic sense. It makes payloads larger, not smaller. It exists for exactly one job: turning arbitrary bytes that are not printable ASCII into bytes that are. Knowing the actual job description spares you a lot of bad architecture.

What Base64 actually does

Three bytes of input (24 bits) are split into four 6-bit groups, each mapped to a printable character from a 64-character alphabet (A–Z, a–z, 0–9, +, /), with = as padding. The output is always a multiple of four characters. Every three input bytes become four output bytes — a constant 33% inflation, no exceptions. There is no information loss; the operation is fully reversible by anyone with no key.

When to use it

Email attachments (the original use case; defined in RFC 2045 MIME) where SMTP is a 7-bit text protocol. Small images embedded in HTML or CSS via data: URIs to skip a network round-trip on first paint. Binary fields in JSON (a JWT signature, a TLS certificate, a file upload). Transport over channels that strip the 8th bit or normalise whitespace.

When NOT to use it

Storing passwords: Base64 is reversible by definition. Use bcrypt, scrypt or Argon2. “Encrypting” config files: if you Base64-encode a secret to “obfuscate” it, anyone with the file has the secret in two seconds. Use real encryption (libsodium, age, sops). Inline Base64 for large assets: a 100 kB image becomes 133 kB of Base64 plus a 1–3% gzip overhead, and it cannot be cached separately from the HTML — defeats the browser’s entire caching strategy. Inline only the truly small (under ~4 kB).

URL-safe Base64

+ and / have special meaning in URLs and need to be percent-encoded, which defeats the point of using Base64 in a URL. The URL-safe variant (RFC 4648 §5) replaces them with - and _ respectively, so the result survives URL encoding without further quoting. Padding (=) is usually dropped in this variant. JWTs use URL-safe Base64.

Base64 in JWT — readability is not security

JWTs are Base64url-encoded, which is why anyone can paste a token into this decoder and see the payload. The signature is what matters — it proves the server issued and signed the token. The payload being “encoded” in Base64 is purely transport-friendliness; it is not even slightly hidden. Do not put secrets in JWT payloads.

Takeaway: Base64 transports arbitrary bytes through text-only channels. That is the entire job. If you see Base64 protecting “sensitive” data without a separate encryption layer, you are looking at security theatre. The encoder/decoder on this page handles both standard and URL-safe variants and accepts missing padding. Use it for debugging; use real crypto for real secrets.

Sources: RFC 4648 (Base16, Base32, Base64) · RFC 2045 (MIME) · MDN data: URIs.

Frequently Asked Questions

No. Base64 is encoding, not encryption. It transforms data into a different representation, but anyone can decode it without a key. Never use Base64 to hide sensitive data — use proper encryption like AES instead.

No. All encoding and decoding happens entirely in your browser using the native JavaScript btoa() and atob() functions. Your data never leaves your device.

Base64 processes input in 3-byte groups. If the input length is not a multiple of 3, padding characters (=) are appended to fill the final group. One = means 2 bytes of padding, two == means 1 byte. This is expected and normal.

Standard Base64 uses + and /, which are special characters in URLs. URL-safe Base64 replaces them with - and _ so the output can be used directly in URLs, query parameters, and JWT tokens without percent-encoding.

A JWT looks like xxxxx.yyyyy.zzzzz. Switch to the Decode tab, paste the middle section (yyyyy), and you will see the token's payload — user ID, roles, expiry, and any custom claims — decoded as plain JSON.

Yes. This tool uses TextEncoder and TextDecoder to handle full UTF-8 before encoding, so emojis, accented letters, Chinese characters, and other non-ASCII text all encode and decode correctly.

Base64 increases data size by approximately 33%. Every 3 bytes of input become 4 Base64 characters. This overhead is the trade-off for text-safe binary transmission. For large files, consider server-side encoding or compression before encoding.

Related Tools