Base64 Encoder / Decoder

How Base64 works

Base64 turns arbitrary bytes into a 64-character ASCII alphabet — A–Z, a–z, 0–9, +, and / — by packing three input bytes (24 bits) into four output characters (6 bits each). Every encoded output is roughly 4/3 the size of the input, padded with one or two = signs so the total length is a multiple of 4.

It's not encryption — anyone can decode it. The point is to safely transmit binary data through systems that only handle text: email bodies (MIME), data: URIs, JSON strings, basic-auth headers, JWT segments, cookies, etc.

URL-safe Base64

Standard Base64 uses + and /, which have special meanings in URLs. The URL-safe variant (RFC 4648 §5) replaces them with - and _ respectively, and usually drops the trailing = padding. JWTs use this variant: each header / payload / signature segment is URL-safe Base64 with no padding. Toggle URL-safe on the left to switch.

UTF-8 round-trip safety

JavaScript's built-in btoa() / atob() only handle Latin-1 — they choke on emoji, Chinese, Cyrillic, etc. This tool wraps them with encodeURIComponent + unescape on encode, and the inverse on decode, so any UTF-8 string round-trips correctly: "Hello 世界 🌍" → "SGVsbG8g5LiW55WMIPCfjI0=" → "Hello 世界 🌍". File uploads encode the raw bytes as-is via FileReader.readAsArrayBuffer — no UTF-8 reinterpretation, so binaries (PNG, PDF, ZIP) survive a round trip unchanged.

Common uses

• data: URIs — data:image/png;base64,iVBORw0… embeds a small image directly in HTML or CSS without a separate request.
• HTTP basic auth — Authorization: Basic dXNlcjpwYXNz is just user:pass Base64-encoded (always use HTTPS — Base64 is not a secret).
• JWT — header.payload.signature, each segment URL-safe Base64.
• API tokens / signed cookies — making opaque blobs cookie- and URL-safe.
• Email attachments — MIME wraps binary parts in Base64 with line breaks every 76 characters.

Use this tool to: decode a JWT payload, inspect a data: URI, prepare a basic-auth header, or just see what your file looks like in Base64.

Limitations and source

Base64 is defined in RFC 4648. This page supports the standard alphabet and the URL-safe alphabet from section 5. It does not encrypt, sign, compress, virus-scan, or validate what the decoded bytes mean.

Large files may use significant browser memory because the encoded result has to be displayed as text. For very large binaries, use a local command-line tool instead.

Last reviewed: 2026-05-14. Text and file processing happen in the browser; uploaded files are not sent to a server.

Frequently asked questions

Is Base64 encryption?

No. Base64 is reversible text encoding, not encryption. Anyone who has the encoded string can decode it.

Why is the output larger than the input?

Base64 packs three input bytes into four text characters, so the encoded output is usually about 33% larger before line wrapping or metadata.

Are uploaded files sent to a server?

No. File encoding uses the browser File API and runs locally on your device.