Base64 EncoderㆍDecoder - Free Online Tool

Mode

Text File

Direction

Encode Decode

Input

Output

📁 Click or drop a file here

Result (Base64)

What is Base64?

Base64 is an encoding that represents binary data using only ASCII characters (A-Z, a-z, 0-9, +, /). It is commonly used in email, data URIs, JWTs, and API responses.

Smart Input Detection

When you paste text, the tool checks whether it looks like Base64 (valid charset + length divisible by 4) and switches to Decode mode automatically.

Privacy

All text and files are processed locally in your browser. Nothing is uploaded, so sensitive tokens and credentials stay safe.

How the encoding actually works

Base64 takes three bytes (24 bits) of binary input at a time and rewrites them as four 6-bit groups, each represented by one printable ASCII character. The character set is defined in RFC 4648, the authoritative standard. If the input length is not a multiple of 3 bytes, the output is padded with one or two = characters so that every encoded string is always a multiple of 4. That is why a rough-but-reliable validity check is "does the length divide by 4 and does every character belong to [A-Za-z0-9+/=]?".

Where you encounter Base64 every day

Data URIs - <img src="data:image/png;base64,iVBOR..."> lets you inline small images directly in HTML or CSS. Great for icons below ~2KB; anything larger hurts render performance because the payload cannot be parallelized like separate requests.
JSON Web Tokens (JWT) - Header and payload are Base64URL-encoded (not standard Base64) and joined by dots. The signature is also Base64URL. You can decode any JWT by splitting on . and decoding the first two segments. Note that JWTs are signed, not encrypted - never put secrets in a JWT body.
MIME email attachments - SMTP historically carried only 7-bit ASCII, so binary attachments are wrapped with Content-Transfer-Encoding: base64 and split into 76-character lines.
HTTP Basic Auth - The header Authorization: Basic dXNlcjpwYXNz is just base64("user:pass"). Anyone sniffing the request in cleartext can decode it instantly - always pair Basic Auth with HTTPS.
SSH/PEM keys, certificates - The lines between -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- are Base64-wrapped DER binary (PEM format).
OAuth state, API keys, CSP nonces - Most "opaque tokens" are Base64URL-encoded random bytes, because URL-safe alphabet avoids escaping in query strings.

Base64 vs Base64URL - pick the right flavor

Standard Base64 uses +, /, and =. Two of those characters have special meaning in URLs (+ decodes to a space; / is a path separator), so embedding raw Base64 in a query string often corrupts the payload. The fix is Base64URL (also RFC 4648, §5), which substitutes + → - and / → _, and usually omits the = padding. Rule of thumb:

Use Base64URL anywhere the value appears in a URL, filename, or HTTP header - JWTs, OAuth tokens, file-based caching keys.
Use standard Base64 for inline data (data URIs, PEM files, email MIME) where URL safety is irrelevant.

When NOT to use Base64

Password storage - Base64 is reversible; it is not hashing. Use bcrypt, scrypt, or Argon2.
Secrecy of any kind - Encoding is not encryption. Anyone can decode it in one line of code. Use TLS for transport and AES-GCM (or equivalent) for storage secrecy.
Large binary payloads in JSON - Base64 adds ~33% overhead. For files above a few hundred KB prefer a presigned upload URL, multipart form, or binary framing (gRPC, Protobuf).
Obfuscating code - Security scanners, WAFs, and browser DevTools decode Base64 automatically. It only slows a casual reader down, not an attacker.

Troubleshooting common decode errors

"Invalid character" error - Your input contains whitespace, line breaks, or smart quotes. This tool strips whitespace automatically, but copy-pasting from Word or Slack sometimes inserts U+00A0 (non-breaking space). Retype the suspected characters.
Output looks like "random bytes" instead of text - You decoded a binary payload (image, PDF, compressed blob). Switch to File mode and use the download button instead of viewing as text.
Length is not a multiple of 4 - The string is Base64URL with padding stripped. Append = or == until the length is divisible by 4, or use a decoder that accepts unpadded input. This tool handles both automatically.
"Incorrect padding" on JWT - JWT segments drop the = padding by spec. Always pad before passing to a strict Base64 decoder.
Unicode text round-trips wrong - The native browser atob()/btoa() are byte-oriented and mangle multi-byte UTF-8. This page uses TextEncoder/TextDecoder under the hood so emoji and non-Latin characters round-trip correctly.

Performance notes for developers

Encoding and decoding are O(n) operations and extremely fast - a 1 MB file encodes in roughly a millisecond on a modern laptop. The real cost is the 33% size increase and the fact that Base64 strings are not compressible as efficiently as the original binary (the alphabet lacks the low-frequency bytes that compression algorithms rely on). If your binary payloads are large enough for size to matter, skip Base64 entirely and use a binary-aware transport.

When working with JSON API payloads, the JSON Formatter & Converter helps you inspect and tidy the data. For collision-resistant resource identifiers, the UUID Generator is a cleaner alternative to Base64-encoded IDs.

FAQ

Is Base64 encryption?

No. It is just an encoding and anyone can decode it. Do not use it to protect passwords.

How much larger does data get?

Base64 encoding increases size by about 33%.

Can I use Base64 directly in URLs or filenames?

Standard Base64 uses `+`, `/`, and `=` which conflict with URL syntax. Use "URL-safe Base64" (Base64URL) which replaces `+` with `-` and `/` with `_`.