Base64 Encoder & Decoder — Free Online Tool
Encode any text (including Unicode) to Base64, or decode Base64 back to text. Supports standard and URL-safe Base64. Live conversion as you type — nothing uploaded.
What is Base64?
Base64 is a way to represent binary data using only 64 printable ASCII characters (A–Z, a–z, 0–9, plus + and /, with = for padding). It's the standard format for embedding arbitrary bytes into text-only channels: HTML attributes, CSS files, JSON payloads, email bodies, configuration files, JWT tokens, Basic Auth headers. The encoded output is roughly 33% larger than the original input, but it can travel anywhere that plain text travels.
This tool handles encode and decode for any UTF-8 text — including emojis, non-Latin scripts, special characters. It also supports URL-safe Base64 (which uses - and _ instead of + and / and drops padding) — the variant used in JWT tokens and many web APIs.
Common uses for Base64
- HTTP Basic Authentication — credentials are sent as
Authorization: Basic base64(user:pass). - JSON Web Tokens (JWT) — header and payload are Base64URL-encoded JSON.
- Email attachments — MIME bodies use Base64 for binary parts.
- Data URIs — inline images, fonts, SVGs in HTML/CSS use Base64 payloads.
- API responses returning binary blobs (avatars, files, tokens) as JSON-safe strings.
- Kubernetes Secrets / GitHub Actions secrets — stored as Base64.
- Database BLOB exports when the export format is text-only.
- QR code payloads for binary data.
Standard vs URL-safe Base64
Standard Base64 uses + and / as the last two characters. But those are reserved characters in URLs — + means space in query strings, / separates path segments. To make Base64 safely usable in URLs, RFC 4648 defines a URL-safe variant: - replaces +, _ replaces /, and trailing = padding is often omitted.
Tick the URL-safe checkbox to encode or decode in that variant. JWT tokens, OAuth state parameters and most modern web APIs use URL-safe Base64.
Important: Base64 is not encryption
Base64 is reversible by anyone who can read the encoded string — it's a transport encoding, not a security measure. Never use it to "hide" passwords, API keys or sensitive data. If you need confidentiality, use proper encryption (AES-GCM, NaCl, etc.).
UTF-8 handling
This encoder properly handles non-ASCII characters: emojis, accented letters, CJK scripts, RTL languages. Naive Base64 implementations break on non-ASCII; this one uses TextEncoder to convert text to UTF-8 bytes before encoding (and TextDecoder on the reverse path), so any Unicode string round-trips correctly.
Tips and best practice
- Watch for invisible characters in pasted input — a trailing newline often produces a different Base64 than expected.
- For JWT debugging, use URL-safe mode and decode the parts between dots separately.
- Base64 string lengths must be multiples of 4 (after padding). If decoding fails, check for missing trailing
=. - To encode a file (image, PDF), use the dedicated file encoders like PNG to Base64.
FAQs
Is anything uploaded?
No. Encoding/decoding runs in your browser.
Why is my decoded output garbled?
Either the input wasn't valid Base64, or it was encoded from a different character encoding (e.g. ISO-8859-1). This tool assumes UTF-8.
What's the maximum input size?
Practical limit ~5 MB. Beyond that, browser performance degrades.
What's the difference between Base64 and Base64URL?
URL-safe uses -_ instead of +/ and may omit padding. Same algorithm otherwise.
Is this encryption?
No. Base64 is encoding, not encryption — anyone can decode it instantly.