Base64 Encode Decode
|
Encode plain text to Base64 or decode a Base64 string back to text. Results update as you type. All processing is in the browser — paste sensitive tokens without network exposure.
Base64 is encoding, not encryption
Base64 is a text-encoding scheme. It converts arbitrary bytes into 64 printable ASCII characters (A–Z, a–z, 0–9, +, /) so that binary data can be safely embedded in text-only contexts: HTTP headers, JSON values, email bodies, HTML attributes, and CSS data URIs.
It is not encryption, not hashing, and not obfuscation. Anyone who sees a Base64 string can decode it in seconds with any decoder — including this one. It provides zero confidentiality.
Do not use Base64 to "hide" passwords, API keys, or any sensitive value. If a credential is encoded in Base64 inside a config file or a request header, it is readable by anyone who intercepts that header or reads that file.
c2VjcmV0cGFzc3dvcmQ=secretpasswordBase64 in headers → readable by any proxy, log, or developer toolHow the Base64 alphabet and padding work
Base64 encodes 3 bytes of input into 4 output characters, working in 3-byte blocks. Each group of 6 bits maps to one character from the 64-character alphabet.
When the input byte count is not a multiple of 3, one or two = padding characters are appended so the output length is always a multiple of 4. One = means 1 byte of padding was added; == means 2 bytes.
The padding characters carry no data — they are structural markers. Some implementations (especially URL-safe Base64 used in JWTs) omit them entirely. If you get a decode error on a string without padding, try appending = or == until the length is a multiple of 4.
"Man" → TWFu"Ma" → TWE="M" → TQ==Decoding HTTP Basic Auth and Authorization headers
HTTP Basic Authentication encodes credentials as Base64 in the Authorization header. The format is: Authorization: Basic <base64(username:password)>.
To inspect credentials from a captured header: take the value after "Basic ", paste it into the decode field here, and read the username:password in plain text. This is exactly why Basic Auth must only be used over HTTPS — the "encoding" provides no protection at all.
Bearer tokens and API keys in Authorization headers are not Base64-encoded — they are opaque strings passed as-is. Only the Basic scheme uses Base64.
alice:hunter2YWxpY2U6aHVudGVyMg==Authorization: Basic YWxpY2U6aHVudGVyMg==paste YWxpY2U6aHVudGVyMg== → alice:hunter2Standard Base64 vs Base64URL (JWT)
Standard Base64 uses + as character 62 and / as character 63. Both have special meaning in URLs: + is interpreted as a space in form encoding, and / is a URL path separator. Embedding standard Base64 in a URL requires percent-encoding those characters.
Base64URL solves this by substituting - for + and _ for /. Padding (= signs) is also typically omitted because = is reserved in query strings. This variant is used in JWTs, OAuth tokens, and any context where the encoded value appears in a URL.
JWT segments — the header and payload — are Base64URL-encoded, not standard Base64. If you try to decode a JWT segment with a standard decoder and get garbage or an error, that is why. Either replace - with + and _ with / manually, or use the JWT Decoder tool which handles the conversion automatically.
c29tZStkYXRhL2hlcmU=c29tZStkYXRhL2hlcmU (- for +, _ for /, no padding)eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyJ9.<sig>eyJzdWIiOiJ1c2VyXzEyMyJ9 → {"sub":"user_123"}See also: JWT Decoder
Common cases in APIs, logs, and configuration
API responses — some APIs return binary content (PDFs, images, cryptographic signatures) as Base64 inside a JSON field. Decode the field value here to inspect the raw content as text, or save it as bytes.
Configuration files — service account JSON keys (Google Cloud), SSH private keys, and TLS certificates are often Base64-encoded when embedded in environment variables or YAML config.
Email — MIME encoding uses Base64 to represent attachments and non-ASCII body content. If you are inspecting a raw email message, the encoded blocks are Base64.
Data URIs — img src="data:image/png;base64,…" and similar CSS background values embed file content inline. The portion after the comma is standard Base64.
{"signature": "c29tZWJhc2U2NGRhdGE=", "alg": "RS256"}GOOGLE_CREDENTIALS=eyJrZXlfdHlwZSI6InNlcnZpY2VfYWNjb3VudCJ9data:image/png;base64,iVBORw0KGgo...See also: JSON Formatter
When decoding fails or produces garbled output
Wrong variant: the input is Base64URL (uses - and _) but you are using a standard decoder. Replace - with + and _ with /, then try again.
Missing padding: URL-safe Base64 strips trailing = signs. If the encoded string length is not a multiple of 4, add one or two = characters at the end.
Binary content: decoding a Base64-encoded image, PDF, or other binary file as UTF-8 text will always produce garbled output — the underlying bytes are not valid text. This is expected; use a binary-aware tool or save the bytes directly.
Whitespace and line breaks: some encoders wrap output at 76 characters (MIME standard). Remove all newlines and spaces before decoding.
SGVsbG8 → error; fix: SGVsbG8= → Helloc29tZS10ZXh0 (has -) → replace with +: c29tZSt0ZXh0 → some+textSGVs
bG8= → remove newline: SGVsbG8= → HelloEncoding and decoding in code
In Node.js, use the Buffer API — it handles UTF-8 correctly and avoids the Latin-1 restriction of the browser's built-in btoa/atob.
In Python, use the base64 standard library. In the browser, btoa and atob are natively available but only handle ASCII and Latin-1 characters correctly; for Unicode text, encode through TextEncoder first.
On the command line, base64 (Linux/macOS) or certutil (Windows) encode files or strings. Useful when you need to Base64-encode a file for an API request or environment variable.
Buffer.from('hello world').toString('base64') // → aGVsbG8gd29ybGQ=Buffer.from('aGVsbG8gd29ybGQ=', 'base64').toString('utf8') // → hello worldimport base64
base64.b64encode(b'hello world').decode() # → aGVsbG8gd29ybGQ=base64.b64decode('aGVsbG8gd29ybGQ=').decode('utf-8') # → hello worldbtoa('hello') // → aGVsbG8=echo -n 'hello world' | base64 # → aGVsbG8gd29ybGQ=echo 'aGVsbG8gd29ybGQ=' | base64 --decode # → hello worldFrequently Asked Questions
- Is Base64 safe to use for passwords or secrets?
- No. Base64 is encoding, not encryption. It is trivially reversible — any decoder (including this page) produces the original text instantly. Never use Base64 to "hide" passwords, API keys, tokens, or any sensitive value. Use proper encryption or hashing for security.
- Why does my decoded output show garbled characters?
- The most common causes: (1) the input is Base64URL (using - and _ instead of + and /) — replace those characters and try again; (2) padding is missing — append = or == until the string length is a multiple of 4; (3) the encoded data is binary (an image or file), not text — decoding as UTF-8 will always produce garbled output for binary content.
- How do I decode a JWT payload without a JWT tool?
- Split the JWT on dots — you get three parts: header.payload.signature. Take the second part (payload). Replace - with + and _ with /. Add = padding until the length is a multiple of 4. Then paste into this tool's decode field. The result is a JSON object. For a faster workflow, use the JWT Decoder tool which does all of this automatically.
- What does the = padding at the end mean?
- Base64 encodes 3 bytes into 4 characters. When input length is not divisible by 3, one or two = characters pad the output to a multiple of 4. They carry no data. URL-safe Base64 (JWTs) strips this padding — add = signs back if a decoder returns an error.
- Can I encode binary files here?
- This tool encodes text strings. For binary files, use base64 filename on Linux/macOS, certutil -encode filename on Windows, or in Node.js: Buffer.from(fs.readFileSync(path)).toString('base64').
- Does Base64 make data smaller?
- No — it makes it approximately 33% larger. Every 3 bytes of input become 4 output characters. Base64 trades size for text compatibility, not compression.
- What is the difference between btoa/atob and this tool?
- btoa and atob are browser built-ins that only handle Latin-1 (ISO-8859-1) characters. Passing a string with emoji or other non-Latin-1 Unicode throws an error. This tool uses TextEncoder/TextDecoder with UTF-8, so it correctly encodes any Unicode text.