Base64 Encoder / Decoder

Encode text to Base64 or decode Base64 to plain text — instantly in your browser.

Instant result Runs in browser

About Base64

A–Z  → 0–25
a–z  → 26–51
0–9  → 52–61
+    → 62
/    → 63
=    → padding

Base64 encodes 3 bytes into 4 ASCII characters, producing output ~33% larger than the input. Used in JWT, HTTP auth, data URIs, and MIME email attachments.

How to use?

  1. 1
    Enter your textType or paste the text you want to encode into Base64, or paste a Base64 string you want to decode.
  2. 2
    Click Encode or DecodePress Encode to convert plain text to Base64, or Decode to recover the original text from a Base64 string.
  3. 3
    Copy the resultUse the copy button or Swap to move the output back to input for chained operations.

FAQ

What is Base64 used for?
Base64 is used wherever binary data must travel through text-only channels: JWT tokens, HTTP Basic Authentication, email MIME attachments, inline data URIs in HTML/CSS, API payloads, and secrets in CI/CD environments.
Is Base64 the same as encryption?
No. Base64 is an encoding scheme, not encryption. It provides zero security — anyone can decode it instantly. Never use Base64 to hide passwords or sensitive data. Use proper encryption (AES-256, RSA) for real confidentiality.
Why does Base64 output end with = signs?
Base64 encodes data in 3-byte groups. When input length is not a multiple of 3, one or two = padding characters are added so output length is always a multiple of 4.

What Is Base64 Encoding?

Base64 is a binary-to-text encoding scheme that converts arbitrary binary data into printable ASCII characters. Originally developed for the MIME email standard (RFC 2045) and formalized in RFC 4648, it has become one of the most widely used encoding mechanisms in web development and APIs. The name comes from the 64-character alphabet: 26 uppercase letters (A–Z), 26 lowercase (a–z), 10 digits (0–9), plus + and /.

How Base64 Works

The algorithm processes input in groups of 3 bytes (24 bits). Each 24-bit group is split into four 6-bit chunks. Since 2⁶ = 64, each chunk maps to one Base64 character. When input is not divisible by 3, one or two = padding characters are appended so output length is always a multiple of 4. Output is approximately 33% larger than the original.

Standard vs. URL-Safe Base64

Standard Base64 (RFC 4648 §4) uses + and / which require percent-encoding in URLs. URL-safe Base64 (RFC 4648 §5) replaces them with - and _. JWT tokens always use URL-safe Base64.

Essential Use Cases

JWT — JSON Web Tokens

JWT headers and payloads are Base64url-encoded. A JWT consists of three dot-separated parts: header.payload.signature. Decoding the first two reveals the algorithm and claims as plain JSON. This is fundamental to OAuth 2.0, OpenID Connect, and modern REST API authentication. Critical note: JWT payloads are only encoded, not encrypted — anyone with the token can read the payload.

HTTP Basic Authentication

The HTTP Basic Auth scheme encodes username:password as Base64 in the Authorization header. This must always be used over HTTPS since Base64 is trivially reversible.

Data URIs and Inline Assets

Embedding small binary files in HTML eliminates HTTP requests: . Best reserved for assets under 10 KB since Base64 inflates file size by ~33%.

Email MIME Attachments

SMTP was designed for 7-bit ASCII text. Base64 allows binary files — images, PDFs, ZIP archives — to pass through email infrastructure unchanged via Content-Transfer-Encoding: base64.

API Payloads and Secrets

REST APIs embed binary content (TLS certificates, SSH keys) as Base64 strings within JSON. Kubernetes, Docker, and CI/CD platforms store Base64-encoded secrets in YAML and environment variables to handle special characters safely.

Base64 Is Not Encryption

Base64 provides zero confidentiality. Anyone can decode it in milliseconds. Never use Base64 to hide passwords, API keys, or personal data. For real security use AES-256-GCM or ChaCha20-Poly1305. For passwords, use bcrypt, scrypt, or Argon2.

Privacy

All operations run entirely in your browser. No input is ever sent to any server.

Comments