Base64 Encoder and Decoder
Paste UTF-8 text to encode, or a Base64 string to decode. The tool supports standard Base64 and Base64url for multilingual text, JSON snippets, JWT segments, Basic Auth values, URL parameters, and log fields. URL-safe mode is designed for links, cookies, and token values, and common missing padding is handled during decode. Encoding, decoding, copy, and round-trip checks all run in your browser, so credentials, tokens, and internal logs are not uploaded.
- Switch between standard Base64 and Base64url for plain text, link parameters, and token segments
- Round-trip UTF-8 text reliably, including CJK text, emoji, accented characters, and JSON
- Validate length and alphabet during decode, with a clear error when input is invalid
- Handle common missing padding before decode, useful for JWT segments and URL-safe values
- Reuse output as input to confirm the conversion returns to the original content
- Process data inside the current browser tab, suitable for credentials, tokens, and internal logs
Overview
A local workspace for common Base64 conversion, URL-safe variants, padding handling, and round-trip validation during everyday API and authentication debugging.
- 01
UTF-8 text encoding
Encode multilingual text, JSON snippets, configuration values, and authentication strings into standard Base64. Content is handled as UTF-8 bytes, so CJK text, emoji, and accented characters round-trip reliably.
- 02
Base64 decoding to text
Decode Base64 strings from API responses, logs, message queues, cache values, or database fields back into readable text. When the result is not valid UTF-8 text, the tool reports an error instead of showing ambiguous garbage.
- 03
Base64url mode
URL-safe mode uses the Base64url form that works better in links, cookies, filenames, and JWT values. Turn it on when the output needs to cross those boundaries.
- 04
Missing padding handling
JWT segments and URL-safe values often omit trailing padding. During decode, the tool handles those common cases according to Base64 grouping rules, reducing manual fixes.
- 05
Live validation status
Successful conversion shows an encoded or decoded state. Invalid length, mismatched alphabet, or unsupported characters produce an immediate error in the output panel.
- 06
Round-trip verification
Send the output back into the input, switch mode, and run the reverse conversion. This is useful for checking alphabet, padding, and UTF-8 handling in your own code.
- 07
Sample inputs
Built-in text, JSON, and URL-safe samples help confirm the current mode before you paste real data.
- 08
Local-only processing
Encoding, decoding, copy, and round-trip checks all happen inside the current browser tab. Credentials, JWT segments, Basic Auth values, internal logs, and personal data stay on the device.
How to use
Choose the conversion direction, paste input, enable URL-safe mode when needed, and the result updates live.
- 01
Choose Encode or Decode in the conversion mode control.
- 02
Paste text or a Base64 string into the input area. Encoding accepts UTF-8 text, while decoding accepts standard Base64 and Base64url.
- 03
Enable URL-safe mode when the value will be used in a URL, cookie, JWT, or similar token field.
- 04
Check the output status. A valid result is shown immediately, and invalid input produces a clear error.
- 05
Copy the result, or use the output as input and switch mode to confirm the result returns to the original content.
Details
The conversion direction controls input and output. URL-safe mode controls which boundary the value can safely cross.
- Use Encode for Basic Auth values, JSON fields, configuration snippets, log samples, Data URL content, and systems that accept Base64 text.
- Use Decode to inspect API responses, log fields, cache values, messages, webhook data, and JWT segments.
- Use URL-safe mode for URL query parameters, path segments, cookies, filenames, and JWTs.
- Use standard Base64 for Basic Auth, email MIME, Data URLs, SMTP, and most text protocol contexts.
- When the input variant is unclear, try standard Base64 first. If it fails, enable URL-safe mode and retry.
- This page is designed for text content. Use dedicated file or image Base64 tools for images, PDFs, archives, and audio.
Use cases
Base64 often appears in APIs, authentication, messages, cache entries, and embedded frontend assets. The same paste, convert, copy workflow covers most day-to-day inspection tasks.
-
JWT segment inspection
Paste a JWT header or claims segment, enable URL-safe mode, and inspect issuer, expiration, scopes, and custom fields.
-
Basic Auth value preparation
Encode the username and password pair as standard Base64 to produce the value used after the Basic scheme in an authorization header.
-
Data URL content
Prepare Base64 content for small icons, inline SVG, email templates, or single-file prototypes that embed assets in HTML, CSS, or JSON.
-
API field debugging
Decode Base64 fields from REST, GraphQL, or webhook responses to see whether the value contains a cursor, signing material, configuration, or plain text.
-
Message and cache inspection
Check text stored in Redis, Kafka, SQS, or database binary fields without writing a one-off script.
-
OAuth and signed request debugging
Inspect Base64url segments in OAuth state, OIDC nonces, PKCE verifiers, and partner signed requests to confirm both sides use the same encoding contract.
-
Callback parameter handling
Encode values as Base64url before placing them in callback URLs, reducing problems caused by standard Base64 characters in link parsers.
-
Email MIME inspection
Extract a Base64-encoded MIME part from raw email source and decode it to inspect body text, attachment metadata, or template content.
-
Round-trip testing
Encode first, use the output as input, then decode to confirm the result returns to the original text. This quickly exposes padding and variant mismatches.
-
Cross-language contract checks
Compare Base64 output from backend services and frontend clients for the same text, confirming both sides agree on UTF-8, padding, and URL-safe mode.
See also
If the Base64 result still needs to travel through a link or form body, continue with URL Encoder and Decoder for percent-encoding. When the result will land in HTML text, attributes, or email source, use HTML Encoder and Decoder to check the entity boundary. When debugging Bearer tokens, single sign-on, or session state, open JWT Inspector to inspect the relationship between JWT header, claims, and signature. To embed images in HTML, CSS, or JSON, switch to Image to Base64 ; if you already have an image Base64 string and want to preview it or restore it as a file, use Base64 to Image .
Best practices
Base64 problems usually come from unclear variant, text encoding, or boundary rules rather than the algorithm itself.
- Decide whether the contract uses standard Base64 or Base64url before writing code, and document whether padding is kept.
- Prefer Base64url for values that enter URLs, cookies, filenames, and JWTs.
- For text shared across languages, explicitly agree on UTF-8 to avoid corrupting CJK and accented characters.
- When decode fails, first check for extra whitespace, missing padding, or the wrong variant.
- Remove line breaks and spaces from Base64 copied from logs or email. This tool handles common whitespace, but other parsers may not.
- Do not treat Base64 as a security mechanism. It is encoding, not confidentiality, authentication, or integrity protection.
- When changing libraries, languages, or runtimes, run an encode and decode round-trip and compare the result to the original text.
- Large binary data grows by about one third when encoded as Base64. File upload, signed URLs, or binary streams are often a better fit.
Limitations
Base64 is reversible encoding with clear boundaries. Understanding those limits prevents it from being misused as a security or file-processing solution.
- Base64 is encoding, not encryption. Anyone can decode it, so do not use it to hide tokens, passwords, or personal data.
- This page targets text. Use file-aware tools for images, PDFs, archives, and audio.
- Base64 increases data size by about one third, which can add memory, bandwidth, and clipboard pressure for large files.
- Text is handled as UTF-8 only. Legacy data in GBK, Shift-JIS, or another encoding must be converted at the byte level first.
- Inputs in the tens of MB can make textareas and clipboard operations slow. Use streaming scripts or file tools for that scale.
- The tool does not silently guess between standard Base64 and Base64url. Choose URL-safe mode explicitly based on the data source.
- Decode strictly validates length and alphabet. A single invalid character fails the whole input to avoid silent corruption.
FAQ
Practical answers about variants, padding, Unicode, security, privacy, and data integrity.
Is Base64 encryption?
No. Base64 only represents bytes as printable characters. It has no key and provides no confidentiality. Anyone can decode it. Use real encryption for secrecy, and use HMAC or digital signatures for integrity.
What is the difference between standard Base64 and Base64url?
Base64url uses a form that is safer for URLs, cookies, and filenames, and it often omits trailing padding. Standard Base64 is more common in Basic Auth, MIME, Data URLs, and text protocol contexts.
Why do some browser methods fail on CJK text or emoji?
Some older methods only accept single-byte text, so CJK text, emoji, and accented characters fail. This tool converts text to UTF-8 bytes before Base64 conversion, so multilingual content is handled correctly.
Why does decoded output look garbled?
The input may be binary content, the original text may not be UTF-8, or the wrong Base64 variant may be selected. Try URL-safe mode first, then decide whether a file or encoding conversion tool is needed.
Why are some Base64 strings missing trailing padding?
URL-safe values and JWT segments commonly omit trailing padding. This tool handles common missing padding during decode, so you do not need to add it manually.
Can I encode files with this tool?
This page only handles text input. For images, PDFs, and other files, use the relevant image-to-Base64 or file tool so the file is read as bytes.
Does my data leave the browser?
No. Encoding, decoding, validation, copy, and use output as input all run inside the current browser tab. The input is not sent to a server.
Is Base64url the encoding used by JWT?
Yes. JWT header, claims, and signature segments use unpadded Base64url. Enable URL-safe mode when working with JWT segments.
Why does the result decode but fail inside a URL?
The value was probably standard Base64 placed directly into a URL. URL-safe mode produces Base64url, which is better suited for link parsing.
Can the tool detect the Base64 variant automatically?
Not reliably for short strings, because many characters are valid in both variants. If decoding fails, switch URL-safe mode and try again.
How large can the input be?
A few MB is usually comfortable. Tens of MB can make the page and clipboard noticeably slow, so streaming scripts or file-aware tools are better at that size.
Does Base64 protect data integrity?
No. Base64 has no checksum, authentication, or signature. If you need to know whether content changed, apply HMAC, a digital signature, or another integrity mechanism before encoding.
Related tools
Continue with adjacent tasks: percent-encode the result for URLs, inspect JWT segments, or switch between image Base64 and scannable-code tools.