Base64
Encode / Decode
Convert text to Base64 and back. UTF-8 safe, URL-safe variant supported, runs entirely in your browser — nothing is uploaded.
Last reviewed: May 2026
Decoding a JWT, not just Base64?
Open the JWT Decoder →A-Z, a-z, 0-9, +, /). It's used to embed binary in text-only contexts like email, JSON, or data: URLs. This tool encodes text to Base64 and decodes Base64 back to text — fully in your browser.
What is Base64?
Base64 is a binary-to-text encoding scheme standardised in RFC 4648. It maps every group of 3 input bytes (24 bits) to 4 output characters (6 bits each), drawn from a fixed alphabet of 64 printable ASCII characters: the uppercase letters A-Z, the lowercase letters a-z, the digits 0-9, and the two symbols + and /. The trailing = character is padding, used so the output length is always a multiple of 4.
Because the output uses only printable ASCII, Base64 makes arbitrary binary data safe to drop into channels that were built for text — SMTP email bodies, JSON string fields, XML, HTTP headers, HTML data: URLs, environment variables, and so on. The cost is size: the encoded form is roughly 33% larger than the original (4 output chars per 3 input bytes), plus up to 2 extra = chars of padding. For a 1 KB binary you get about 1.36 KB of Base64.
The standard alphabet uses + and /, which are both reserved characters in URLs (and / is the path separator). For URL or filename use, RFC 4648 §5 defines a URL-safe variant that replaces + with - and / with _, and frequently omits the trailing = padding entirely. JWTs, web push, OAuth state, and most modern web-API tokens use this URL-safe form.
UTF-8 and the btoa trap
The browser's built-in btoa() only handles binary strings — characters in the 0-255 range. If you call btoa("Hello, 世界!") directly you get an InvalidCharacterError because the Chinese characters are outside Latin-1. This tool wraps btoa / atob with TextEncoder and TextDecoder so any Unicode input — emoji, CJK, accented letters — round-trips correctly via UTF-8.
Security note — Base64 is encoding, not encryption. Anyone with the encoded string can decode it back to the original bytes in one line of code. Don't use it to "hide" passwords, API keys, or anything sensitive — the encoded form is just as readable as the plaintext to anyone who knows what to look for. If you need confidentiality, use proper encryption (AES-GCM, NaCl, age, etc.).
Common uses for Base64
Frequently asked questions
Is Base64 encryption?
No. Base64 is an encoding, not encryption. Anyone with the encoded string can decode it back to the original bytes in one line of code — there is no key and no secret involved. Use it to make binary data safe to transport through text-only channels, not to hide information.
What does URL-safe Base64 mean?
The standard Base64 alphabet uses + and / which both have reserved meaning in URLs, and = which has to be percent-encoded. URL-safe Base64 (RFC 4648 §5) replaces + with - and / with _, and often drops the trailing = padding, so the encoded value can be dropped straight into a URL path, query string, or filename without any escaping.
Why is my Base64 output bigger than the input?
Base64 encodes every 3 bytes of input into 4 ASCII characters of output, so the encoded form is roughly 33% larger than the original — plus up to 2 bytes of = padding. That overhead is the cost of representing arbitrary binary using only 64 printable characters. It's the same reason base64-encoded email attachments and data: URLs are noticeably larger than the underlying file.
Is my input sent to a server?
No. This tool runs entirely in your browser using the native btoa / atob functions wrapped with TextEncoder / TextDecoder for UTF-8 correctness. Nothing is uploaded, logged, or stored. You can open the network tab in DevTools to confirm there are no requests when you encode or decode.