Base64 Encoder & Decoder – Free Online Tool

What Is Base64?

Base64 is a binary-to-text encoding scheme that represents binary data using 64 printable ASCII characters: A–Z (26), a–z (26), 0–9 (10), and + and / (2), plus = for padding. It was designed to safely transmit binary data over channels that were designed to handle only text — such as email protocols and HTTP headers.

Base64 increases the size of data by approximately 33% (every 3 bytes of binary become 4 ASCII characters). This trade-off is worthwhile when the channel cannot handle arbitrary binary data. Modern web development uses Base64 extensively for embedding images in HTML/CSS, encoding credentials, and serializing binary data in JSON.

Standard Base64 vs Base64URL

Feature	Standard Base64	Base64URL
Characters 62–63	+ and /	- and _
Padding	Uses = padding	Padding often omitted
URL safe?	❌ + and / need encoding	✅ Safe in URLs
Used in	Email (MIME), data URIs	JWT, OAuth tokens, URL params

The URL-safe variant replaces + with - and / with _. This prevents issues when Base64 data appears in URLs or HTTP headers where + is interpreted as a space and / is a path separator.

Real-World Use Cases

HTTP Basic Authentication

The HTTP Authorization header for Basic auth is constructed as Authorization: Basic [base64(username:password)]. The credentials are Base64-encoded (not encrypted — always use HTTPS). This tool lets you inspect what's inside such headers.

Data URIs for Images

Data URIs embed file content directly in HTML or CSS: src="data:image/png;base64,[data]". This eliminates an HTTP request for small icons but increases HTML size. Suitable for small images, not large ones.

JWT (JSON Web Tokens)

JWTs consist of three Base64URL-encoded segments separated by dots: Header.Payload.Signature. The header and payload are readable JSON; the signature is a cryptographic hash. This tool's JWT Inspector decodes the header and payload for debugging.

API Request Bodies

Some APIs accept binary file uploads as Base64-encoded strings within JSON bodies. This avoids multipart form encoding complexity and allows file data to be included alongside other JSON fields in a single request.

Email Attachments (MIME)

Email protocols (SMTP) handle text. Attachments are encoded as Base64 within MIME multipart messages so that binary files (PDFs, images, etc.) can be safely transmitted over text-based mail servers.

Understanding JWTs

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is widely used for authentication (login sessions) and authorization (API access control). The token's three parts are:

Header — Specifies the token type (JWT) and signing algorithm (HS256, RS256, etc.)
Payload — Contains claims: standard ones like sub (subject), exp (expiration), iat (issued at), plus any custom application data
Signature — Cryptographic proof that the header and payload haven't been tampered with

Important: The header and payload are only Base64-encoded — they are NOT encrypted or hidden. Anyone who has the token can read the payload. Never store sensitive data (passwords, credit card numbers) in JWT payloads.

Frequently Asked Questions

Is Base64 a form of encryption?

No. Base64 is an encoding scheme, not encryption. The original data can be recovered by anyone who has the encoded string — no key is required. Do not use Base64 to "hide" sensitive data. For encryption, use AES, RSA, or other cryptographic algorithms.

Why does Base64 output sometimes end with == or =?

Base64 encodes 3 bytes at a time into 4 characters. If the input length isn't divisible by 3, padding characters (=) are added to make the output length a multiple of 4. One = means 1 byte of padding, == means 2 bytes. In Base64URL, this padding is often omitted.

Can I encode any file type with Base64?

Yes. Base64 operates on raw bytes, so it works with any file format — images, PDFs, audio, video, ZIP archives, executables, or any other binary format. The encoded output will always be valid ASCII text, roughly 33% larger than the original.

Does decoding a JWT verify it?

No. Decoding only reads the claims. Verification requires checking the cryptographic signature against the issuer's secret or public key — something that must be done server-side. This tool is for inspection/debugging only, not for security decisions.

Is the data I paste sent to a server?

No. All encoding and decoding happens locally in your browser using JavaScript's built-in btoa(), atob(), TextEncoder, and FileReader APIs. No data is transmitted to any server. You can use this tool offline after the page has loaded.