Free tool No sign-up
Base64 Encoder / Decoder
Encode or decode Base64 — text, JSON, JWTs, and files up to 5 MB. Standard and URL-safe variants with full UTF-8 support and live preview.
base64encoderdecoderjwtdata-uri
Why use Base64?
Inspect tokens & headers
JWTs, OAuth state, HTTP Basic auth, and signed cookies all use Base64. Decoding them on the spot beats writing a one-off script every time you debug an auth flow.
Embed binary in text
Base64 is the universal way to ship images, fonts, or PDFs through APIs and inline data: URIs. The 33% size overhead is a small price for "no extra HTTP request" rendering.
URL-safe transport
Standard Base64 contains + and / which break inside URLs and filenames. Base64URL swaps them for - and _ — same encoding, safe for query strings, JWT segments, and S3 keys.
No round-tripping data loss
Unlike URL encoding or HTML entities, Base64 is a true 1:1 transform on bytes — encode, transmit, decode, and you get back exactly what you started with, every time.
How to use this tool
01
Pick Encode or Decode
Encode turns plain text or files into Base64. Decode reads any Base64 string (with or without padding, URL-safe or standard) back to text or bytes.
02
Type, paste, or upload
Drop in any UTF-8 text — emoji, accented characters, and CJK all encode safely. For binary, click Upload to Base64-encode a file up to 5 MB right in the browser.
03
Toggle URL-safe if needed
Standard Base64 uses +, /, =. URL-safe (Base64URL, RFC 4648 §5) swaps + → -, / → _, and drops trailing =. Use it for JWT, query strings, and filenames.
04
Copy the result
For text, click Copy. For uploaded files, Copy data: URI gives you a ready-to-paste data:image/png;base64,... string for inlining in CSS, HTML, or Markdown.
Standard vs URL-safe Base64
| Input | Standard | URL-safe | Note |
|---|---|---|---|
A | QQ== | QQ | 1 byte → 4 chars + padding |
AB | QUI= | QUI | 2 bytes → 4 chars + padding |
ABC | QUJD | QUJD | 3 bytes → 4 chars exactly |
Hello! | SGVsbG8h | SGVsbG8h | No special chars — same |
sub?>tile | c3ViPz50aWxl | c3ViPz50aWxl | No +/ chars — same |
\xfb\xff | +/8= | -_8 | +, /, = → -, _, stripped |
JWT header | eyJhbGc...InR5cCI6Ikp | eyJhbGc...InR5cCI6Ikp | JWTs always Base64URL |
Base64 in practice
UTF-8 safe
// Browser — UTF-8 safe encode const text = "Café · 🚀"; const b64 = btoa( String.fromCharCode(...new TextEncoder().encode(text)) ); // → "Q2Fmw6kgwrcg8J+agA=="
Decode JWT
// Decode a JWT payload (always Base64URL)
const [, payload] = jwt.split(".");
const json = atob(
payload.replace(/-/g, "+").replace(/_/g, "/")
.padEnd(payload.length + (4 - payload.length % 4) % 4, "=")
);
// → {"sub":"1234","name":"Jane","exp":...} data: URI
/* Inline a tiny image with a data: URI */
.icon-check {
background-image: url("data:image/svg+xml;base64,PHN2Zy4uLjwvc3ZnPg==");
background-size: 16px;
}
/* Or in HTML */
<img src="data:image/png;base64,iVBORw0KGgo...AAAAElFTkSuQmCC" alt="" /> Pro tips
01
Base64 is encoding, not encryption
It looks scrambled but anyone can decode it. Never put secrets, API keys, or PII in Base64 thinking it's "hidden" — use real encryption (AES-GCM, age) for that.
02
Mind the +33% size penalty
3 bytes → 4 chars means Base64 grows files by ~33% (more after gzip can recover). Inline data URIs only beat HTTP for tiny assets — typically under 4 kB.
03
Always specify charset for text
Base64 encodes bytes, not text. If a system sends you Base64 of UTF-16 or Latin-1, decoding as UTF-8 produces mojibake. Confirm the original charset before decoding.
04
Watch for missing padding
Strict decoders reject Base64 without trailing =. JWTs and Base64URL strip them — most tools (including this one) re-pad automatically, but raw atob() in browsers does not.