Base64 Encode Decode

Free Base64 Encode and Decode tool to convert text to and from Base64 in your browser for data URIs, JWTs, and APIs.

Remove Ads
Remove Ads
Upload File
Remove Ads

Share on Social Media:

The Base64 Encode/Decode tool instantly converts text and data to Base64 and back. Paste text to encode it into a safe ASCII string, or paste a Base64 string to decode it to the original — handy for debugging JWTs, building data URIs, inspecting API payloads, and any task where binary data must travel as text. Fast, free, and processed in your browser.

What Base64 Actually Is

Base64 is a binary-to-text encoding. It represents any data using just 64 printable ASCII characters — A–Z, a–z, 0–9, '+', and '/', with '=' for padding — so that binary content can pass safely through systems designed only for text. It works by taking 3 bytes at a time (24 bits) and encoding them as 4 characters (6 bits each), which is why Base64 output is always a multiple of four characters long.

How to Use It

  1. Paste your data — text to encode, or a Base64 string to decode.
  2. Encode or decode — choose the direction.
  3. Copy the result into your code, config, or API.

The Most Important Thing: Base64 Is NOT Encryption

This deserves a section of its own, because it's the most dangerous misconception in development. Base64 provides zero security. It is encoding, not encryption — there's no key, and anyone can reverse it in one second using a browser console (atob("c2VjcmV0") returns "secret") or any online tool. Never use Base64 to "hide" passwords, API keys, tokens, or sensitive data; encoding a secret in Base64 is like writing your PIN on a sticky note and turning it face-down. For real protection, use proper encryption such as AES or RSA — and only then, optionally, Base64-encode the ciphertext for transport.

Why Base64 Exists

Many systems — email (SMTP/MIME), URLs, HTTP headers, JSON, HTML attributes — were built to handle text, not raw binary. Sending binary directly through them can corrupt or mangle the data. Base64 solves this by converting the bytes into safe, printable characters that survive the trip intact, then decoding them back on the other side. It's about safe transport, not security or compression.

Where Base64 Shows Up

Use caseHow Base64 helps
Data URIsEmbed small images, SVGs, and fonts inline in HTML/CSS
JSON APIsSend files inside a payload, since JSON has no binary type
JWT tokensHeader and payload are Base64URL-encoded JSON
HTTP Basic AuthEncodes "user:password" for the header (needs HTTPS)
Email & certificatesMIME attachments and PEM certificates

Standard vs. URL-Safe Base64

Standard Base64 uses '+' and '/', but those are reserved characters in URLs. The URL-safe variant (RFC 4648) replaces them with '-' and '_' and usually omits the '=' padding, so the string is safe in URLs, cookies, and filenames. It's what JWTs and AWS signatures use. If a decode fails with an "invalid character" error, you've likely got the URL-safe variant — switch accordingly.

The 33% Overhead — and When Not to Use Base64

Because 3 bytes become 4 characters, Base64 inflates data by about 33%. A 1 MB image becomes roughly 1.33 MB. That's acceptable for small payloads, but for large files it's wasteful: prefer direct binary transfer, multipart form-data, or normal file URLs. On the web specifically, a regular image URL can be cached independently and streamed, while a Base64 data URI cannot — so reserve data URIs for tiny assets only.

Common Pitfalls

  • Treating it as security — the number-one mistake; it's reversible by anyone.
  • UTF-8 handling — multibyte text needs proper encoding or it breaks.
  • Double-encoding — encoding already-encoded data yields garbage.
  • Padding — stripped '=' characters cause decode errors.
  • Whitespace — strip line breaks (some tools wrap at 76 chars) before decoding.

Private and Instant

Encoding and decoding happen in your browser, so your data never leaves your device — safe for inspecting tokens and payloads. Just remember the golden rule: Base64 is a transport format, not a lock. Free, with no signup.

Base64 FAQs

What is Base64 encoding?

Base64 is a binary-to-text encoding scheme that represents any data using 64 printable ASCII characters: A–Z, a–z, 0–9, plus '+' and '/', with '=' for padding. It converts each group of 3 bytes into 4 characters. Its purpose is to let binary data — images, files, raw bytes — travel safely through systems that only handle text, like email, URLs, and JSON.

Is Base64 encryption? Is it secure?

No — and this is the single most important thing to understand. Base64 is encoding, not encryption, and provides zero security. Anyone can decode a Base64 string instantly with a browser console or any online tool; no key is needed. Never use it to hide passwords, API keys, tokens, or any sensitive data. For real protection, use proper encryption like AES or RSA.

Why does my data get bigger after Base64 encoding?

Because Base64 turns every 3 bytes into 4 characters, the output is about 33% larger than the original. This overhead is the trade-off for safe text transmission. It's fine for small payloads, but for large binary files it's wasteful — prefer direct binary transfer or multipart uploads instead of Base64 for big files.

What is a data URI and how does Base64 relate to it?

A data URI embeds a file directly inside HTML or CSS using the format data:[MIME-type];base64,[encoded-data]. Base64 is what makes the binary image or font safe to inline as text. It's great for tiny assets — small icons, simple SVGs, favicons — where avoiding an extra HTTP request is worth the size increase. Keep embedded assets small (under a few KB); for larger images, use a normal file URL.

What is URL-safe Base64?

Standard Base64 uses '+' and '/', which are reserved characters in URLs. URL-safe Base64 (RFC 4648) swaps them for '-' and '_' and usually drops the '=' padding, so the string is safe to place in URLs, cookies, and filenames. It's the variant used in JWTs, AWS signatures, and similar contexts. If decoding fails with an 'invalid character' error, check whether you have the URL-safe variant.

Where is Base64 actually used?

Everywhere data must cross a text-only channel: embedding small images in HTML/CSS via data URIs, sending files inside JSON API payloads (since JSON has no binary type), the header and payload of JWTs (Base64URL), HTTP Basic Authentication headers, email attachments via MIME, and storing certificates. The common thread is pushing non-text data through systems built for text.

What are common Base64 mistakes?

The biggest is treating it as security — it isn't. Others include: encoding multibyte (UTF-8) text incorrectly so it breaks; double-encoding an already-encoded string, which produces garbage; missing or stripped '=' padding causing decode errors; and leftover whitespace or line breaks (some tools wrap output every 76 characters) that must be removed before decoding.

Is my data private when using this tool?

When encoding and decoding run in your browser, your data stays on your device and isn't sent anywhere. That makes it safe for inspecting tokens or payloads. Still, because Base64 is not secure, never rely on it to protect anything sensitive — it's a transport format, not a lock.