Base64 Encoder and Decoder
Encode text to Base64, decode Base64 back to text, and convert between standard Base64 and URL-safe Base64URL — all in your browser.
Base64 is everywhere in modern development, but it is also one of the most misunderstood tools. It shows up in API authentication headers, JWT tokens, Data URLs, Kubernetes secrets, email attachments, and CSS inline images — yet many developers mistake it for encryption or struggle with decoding failures caused by whitespace, padding, or URL-safe character variants.
This tool handles all three common Base64 workflows: Encode text or structured data (like JSON) into standard Base64, Encode URL-Safe for JWT-compatible Base64URL output, and Decode any Base64 string back to readable text. It auto-detects URL-safe characters, strips Data URL prefixes, normalizes whitespace, and validates padding — so the common decode failures simply do not happen here.
Every operation runs entirely in your browser using the native TextEncoder, TextDecoder, btoa, and atob APIs. Your input is never transmitted — which means it is fast and private, but also means you should never paste production secrets or real API tokens into any browser-based tool.
Try it now
Paste text or Base64, pick an action, get results instantly
Paste or type above
Ready after you click an action
Quick example — see what Base64 encoding does
Hello 世界 👋
SGVsbG8g5LiW55WMIPCfkYs=
Common Base64 mistakes (and how to fix them)
Click any example to load it into the tool and see how it handles each case.
Understanding Base64 encoding
Text Base64 vs. File Base64 vs. Data URL: three different things
Not all Base64 strings represent the same kind of content. Treating a file's Base64 as text (or vice versa) is a common source of confusion:
| Type | Example | Decodes to | Used for | Decode action |
|---|---|---|---|---|
| Text Base64 | SGVsbG8gV29ybGQ= | Hello World | Encode text strings for transport in JSON, XML, or URL parameters. | Decode as UTF-8 text — readable output. |
| File Base64 | /9j/4AAQSkZJRg... | (binary image data) | Embed images, PDFs, or other binary files as text inside JSON or HTML. | Decoded bytes are not human-readable. Save as a file or use a Data URL to view. |
| Data URL | data:image/png;base64,iVBOR... | (image file embedded in URL) | Embed small files directly in HTML src attributes or CSS url() values. | Open the full Data URL in a browser address bar to view the file. |
Base64URL: the URL-safe variant
Standard Base64 uses + and / characters, which have special meaning in URLs. Base64URL solves this with three changes:
Replace
+ → -
Replace
/ → _
Strip
= padding
You will find Base64URL in JWT tokens (eyJ... headers and payloads), OAuth 2.0 state parameters, and anywhere Base64 appears in a URL path or query string. This tool auto-detects URL-safe characters when decoding and offers a dedicated Encode URL-Safe button for encoding.
Real-world use cases
Encoding API credentials for Basic Auth
HTTP Basic Authentication encodes username:password as Base64 in the Authorization header. While this is standard, remember that Base64 is encoding, not encryption — always use HTTPS to protect the header in transit.
Embedding images in HTML or CSS
Convert small icons or images to Base64 Data URLs and embed them directly in an <img src> or CSS background-image. This eliminates HTTP requests for tiny assets at the cost of ~33% larger file size.
Storing binary data in JSON
JSON cannot hold raw bytes. When an API needs to include binary data (a thumbnail, a signature, an attachment), it Base64-encodes the bytes into a JSON string field.
Inspecting JWT payloads
JWT tokens use Base64URL encoding for the header and payload sections. Paste the middle section (between the first and second dots) here to decode and inspect the claims. For full JWT inspection, use the JWT Decoder tool.
Encoding query parameters
When a URL query parameter needs to carry structured data or binary content, Base64URL encoding keeps it URL-safe by replacing + with -, / with _, and stripping = padding.
Debugging encoded config values
Some systems Base64-encode configuration values (Kubernetes secrets, CI/CD variables). Decode them here to verify the actual value before troubleshooting.
When not to use Base64
- Protecting secrets: Base64 is encoding, not encryption. Never use it to store passwords, API keys, or sensitive data. Anyone can decode it instantly.
- Large files: Base64 increases data size by ~33%. For files over a few megabytes, this adds significant overhead. Use binary transfer (multipart/form-data, direct file upload) instead.
- Database storage of binary: Storing images or files as Base64 in a database column wastes space and makes querying inefficient. Use object storage (S3, Cloud Storage) with a URL reference in the database.
- Repeated encoding/decoding in a hot loop: Base64 conversion has a CPU cost. For high-throughput systems, do it once and cache the result rather than re-encoding on every request.
Security and privacy
Encoding and decoding run entirely in your browser. Your data is never uploaded to any server by this tool. However, never paste sensitive material into any online tool — this includes production JWT tokens, API keys, authentication credentials, or personally identifiable information. Browser extensions, clipboard managers, and device-level keyloggers can all read textarea content. For production secrets, use a local CLI tool or your backend directly.
Frequently asked questions
Is Base64 encryption?
No. Base64 is encoding — it changes how data is represented, not whether it is secret. Anyone who has the Base64 string can decode it back to the original data without a password or key. Do not use Base64 to protect passwords, API keys, or sensitive information. Use proper encryption (AES, TLS) for secrets.
Why does my Base64 string not decode?
Common causes: (1) the string contains whitespace or line breaks — strip them first; (2) it uses Base64URL characters (- and _ instead of + and /) — switch the variant; (3) it has a data:...;base64,... prefix — strip the prefix; (4) the padding is wrong — Base64 length must be a multiple of 4, with at most two = padding characters; (5) the string was truncated during copy-paste.
What is the difference between Base64 and Base64URL?
Base64URL is a URL-safe variant that replaces + with -, / with _, and strips the trailing = padding. It is used in JWTs, OAuth state parameters, URL query values, and anywhere Base64 needs to appear in a URL or filename. This tool supports both standard Base64 and Base64URL for encoding and decoding.
Can I encode Unicode text and emoji?
Yes. This tool uses the TextEncoder API with UTF-8 encoding, which correctly handles non-ASCII characters, CJK text, and emoji. Older browser snippets using the deprecated escape() function silently corrupt non-ASCII data. Every modern browser supports TextEncoder.
Why is the Base64 output longer than my input?
Base64 uses a 64-character alphabet (A-Z, a-z, 0-9, +, /) to represent arbitrary bytes. Each Base64 character carries 6 bits of information instead of 8, so the output is approximately 33% larger than the original data. This is a property of the encoding itself, not a bug.
Is my data uploaded to a server?
No. Encoding and decoding run entirely in your browser using the TextEncoder, TextDecoder, btoa, and atob APIs. Your text and Base64 strings are never transmitted by this tool. The page may load analytics or advertising scripts that send page-view data, but your input content stays on your machine.
What is a Data URL and can I decode it here?
A Data URL looks like data:image/png;base64,iVBOR... and embeds file content directly in a string. The Base64 portion represents binary file data (an image, PDF, etc.), not text. Decoding it as UTF-8 text produces unreadable output. This tool can detect and strip the Data URL prefix for inspection, but to view the actual image or file, open the Data URL in a browser address bar instead.
Related tools you might need
Decode and inspect JWT header and payload claims without a server.
Format, validate, and minify JSON in your browser.
Encode or decode URL components and query parameters safely.
Convert Unix timestamps to human-readable dates and vice versa.
Tool guide
About Base64 Encoder & Decoder
Base64 is commonly used to represent binary or Unicode text as plain ASCII characters. This encoder and decoder is useful for API testing, tokens, data URLs, email content, logs, and small configuration values.
The tool supports UTF-8 text, so non-English characters and emoji can be encoded and decoded more reliably than older browser snippets based on deprecated escape/unescape helpers.
Base64 is not encryption. It makes data easier to transport through text-only systems, but anyone who has the value can decode it.
Privacy note
Most FreeToolsBox tools run directly in your browser for processing. Some pages may still load analytics, ads, or third-party services. Avoid entering passwords, private keys, production tokens, personal IDs, or other sensitive data.
Validation-grade guide
How to use Base64 Encoder & Decoder well
Best for
Encode or decode Base64 text, API payload fragments, and UTF-8 strings.
Quickly converts between readable text and Base64 while surfacing malformed decode input.
Example workflow
- Input: hello 世界
- Action: Encode to Base64, then decode the result to confirm round-trip behavior.
- Expected result: The decoded text matches the original Unicode input exactly.
Quality checks
- Handles UTF-8 text instead of only ASCII strings.
- Separates encode and decode actions for clean analytics.
- Reports invalid input rather than returning misleading output.
Watch out for
- Base64 is encoding, not encryption.
- Binary files require file-specific handling, not plain textarea conversion.
- URL-safe Base64 may use different characters or omit padding.
Do not use it for
- Protecting secrets or passwords.
- Verifying signatures, JWT integrity, or encrypted messages.
What to measure in the 90-day validation
- tool_used:encode
- tool_used:decode
- tool_error rate
- tool_copied
Text encoding and decoding happen in the browser, but encoded output is not private by design.
Learn the concept
Base64 is not encryption
A practical guide explaining what Base64 encoding does, why it is reversible, where it is useful, and why it should not be used to protect secrets.
Read the guide →Common use cases
- Encode small text snippets for API requests or test fixtures.
- Decode Base64 values found in logs, headers, configuration, or support tickets.
- Check whether a copied Base64 value decodes to readable text.
- Work with Unicode strings without losing characters.
- Inspect values before deciding whether they are Base64, Base64URL, or another encoding.
Examples
- Encode hello world into a Base64 string for a quick API test.
- Decode a copied configuration value and confirm whether it contains readable JSON, plain text, or binary-looking data.
- Remove accidental spaces or line breaks before decoding a value copied from email or logs.
Practical tips
- Base64 is encoding, not encryption.
- Do not use Base64 alone to protect secrets.
- If decoding fails, check for missing padding, copied whitespace, or Base64URL characters.
- Decoded binary data may not display as readable text.
Related tools
Frequently asked questions
Is Base64 secure?
No. Base64 only changes the representation of data. Anyone can decode it without a password.
Why does my Base64 string not decode?
The input may be truncated, contain unsupported characters, include copied whitespace, or use a different variant such as Base64URL.
Can I encode Unicode text?
Yes. The tool uses UTF-8 encoding so international text and emoji are supported.
Why is Base64 longer than the original text?
Base64 represents data using a limited ASCII character set, which usually increases the size by roughly one third before compression.
What is the difference between Base64 and Base64URL?
Base64URL is a URL-safe variant that replaces characters such as plus and slash and is commonly used in JWTs and web tokens.
Is Base64 Encoder & Decoder free to use?
Yes. Base64 Encoder & Decoder is free to use in your browser with no signup required.