Base64 Encoder / Decoder
Encode plain text to Base64 (RFC 4648) or decode Base64 content back to readable text. Supports standard and URL-safe alphabets.
Text or Base64 input
Base64 result
Output
What is Base64 encoding?
Base64 is a binary-to-text encoding scheme defined in RFC 4648. It converts any sequence of bytes into a string made of 64 printable ASCII characters: A–Z, a–z, 0–9, +, and /, with = for padding. Because these characters are safe in virtually every text-based protocol, Base64 is the standard way to pass binary data through channels designed for text — email, JSON APIs, HTTP headers, and data URLs.
How Base64 encoding works (RFC 4648 §4)
The algorithm takes three bytes (24 bits) at a time and splits them into four 6-bit groups. Each 6-bit value (0–63) maps to one character in the Base64 alphabet. If the input length is not a multiple of three, one or two = padding characters are appended. This means output is always 33% larger than the input — a 100-byte file encodes to 136 characters.
Standard Base64 vs Base64URL (RFC 4648 §5)
| Variant | Characters 62–63 | Padding | Use case |
|---|---|---|---|
| Standard (§4) | + and / | = | Email (MIME), HTTP Basic Auth, data URLs |
| URL-safe (§5) | - and _ | Optional | JWT header/payload, URL query strings, filenames |
JWT tokens use Base64URL (not standard Base64). This is why copying a JWT header into a standard Base64 decoder may produce garbled output — the - and _ characters need to be swapped back to + and / first.
Base64 is encoding, not encryption
Base64 provides zero security. Anyone can decode it in under a second without a key. Never use Base64 to hide passwords, API keys, or sensitive strings — use proper encryption (AES-256-GCM) or hashing (bcrypt for passwords, SHA-256 for integrity). The only purpose of Base64 is safe text representation of binary data.
HTTP Basic Auth — a practical gotcha
The Authorization header for Basic Auth encodes credentials as Base64(username:password). This means credentials are trivially decodable by anyone who intercepts the header. Basic Auth is only safe over HTTPS — never over plain HTTP. Any request intercepted in transit (or logged) exposes the credentials in plaintext after a single decode operation.
Common use cases
- Data URLs — embed images in HTML/CSS as
data:image/png;base64,...to avoid an extra HTTP request - HTTP Basic Auth — the Authorization header encodes
Base64(username:password) - JSON payloads — pass binary data in a JSON body (JSON has no native binary type)
- Email attachments — MIME encoding uses Base64 to embed file attachments in plain-text email
- JWT tokens — the header and payload of every JWT are Base64URL-encoded (RFC 7519)
Native code equivalents
Production-ready snippets — same logic the tool runs, in your language// Standard Base64 (RFC 4648 §4) — btoa/atob are latin-1 only
// Use TextEncoder for full Unicode support
const encode = (str) => btoa(unescape(encodeURIComponent(str)));
const decode = (b64) => decodeURIComponent(escape(atob(b64)));
// Base64URL (RFC 4648 §5) — used by JWT tokens
const encodeUrl = (str) =>
btoa(unescape(encodeURIComponent(str)))
.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '');
const decodeUrl = (b64url) => {
const b64 = b64url.replace(/-/g, '+').replace(/_/g, '/');
const pad = b64.length % 4 === 0 ? '' : '='.repeat(4 - b64.length % 4);
return decodeURIComponent(escape(atob(b64 + pad)));
};
// Node.js 18+
const encoded = Buffer.from('Hello, DevToolsHub!').toString('base64');
const decoded = Buffer.from(encoded, 'base64').toString('utf-8');