Base64 Encoder/Decoder

Last updated: April 1, 2026

Base64 Encoder & Decoder

Encode text to Base64 or decode Base64 back to plain text. Supports UTF-8, ASCII, and binary data. Essential for working with APIs, email attachments, and data URIs.

What Is Base64

Base64 converts binary data into a text format using 64 ASCII characters (A-Z, a-z, 0-9, +, /). It increases data size by roughly 33% but ensures safe transmission through text-only channels.

Common Uses

  • Email attachments: MIME encoding uses Base64
  • Data URIs: Embed small images directly in HTML/CSS
  • API authentication: HTTP Basic Auth encodes credentials in Base64
  • JWT tokens: Header and payload are Base64URL encoded

Important Notes

  • Base64 is encoding, NOT encryption — it provides zero security
  • Never use Base64 to hide passwords or sensitive data
  • Base64URL variant replaces + with - and / with _ for URL safety

Base64 Is Not Encryption — And Understanding That Changes Everything

Every week, developers paste Base64-encoded strings into chat threads, bug reports, and commit messages as if the encoding itself provides some layer of protection. It does not. Base64 is a binary-to-text encoding scheme, nothing more. Its sole job is to make arbitrary binary data safe to travel through channels that only understand ASCII text — email bodies, JSON payloads, CSS data URIs, HTTP headers. Once you internalize this distinction, you start using Base64 encoder/decoder tools with real purpose instead of cargo-cult habit.

What the Encoding Actually Does to Your Data

Base64 takes every three bytes of input and converts them into four printable ASCII characters drawn from a 64-character alphabet: uppercase A–Z, lowercase a–z, digits 0–9, plus + and /, with = used as padding. The math is straightforward — 3 bytes is 24 bits, split into four 6-bit groups, each mapped to one character in the alphabet.

The practical consequence: Base64 output is always approximately 33% larger than the original input. A 300 KB image embedded as a data URI in your CSS becomes roughly 400 KB of ASCII. This is not a bug — it is the deliberate trade-off the format makes to guarantee safe transmission. A good Base64 encoder/decoder tool makes this expansion immediately visible, showing you both the character count of the input and the resulting encoded length so you can make an informed decision about whether embedding is worth the overhead.

Three Real Workflows Where This Tool Earns Its Place

Abstract explanations only go so far. Here are three concrete situations where reaching for a Base64 tool is the correct move:

  1. Embedding small assets in HTML or CSS. A favicon or a small icon SVG — say, under 2–3 KB — can be inlined directly into a stylesheet as a data:image/svg+xml;base64,... URI. This eliminates one HTTP round trip. For a file this small, the 33% size overhead is negligible compared to the latency cost of an additional request, especially on mobile connections. Use the encoder, grab the output, prefix it with the appropriate MIME type, and you are done.
  2. Debugging JWT tokens. JSON Web Tokens are three Base64URL-encoded segments separated by dots. The header and payload sections are not encrypted in a standard JWT — they are simply encoded. Paste the payload segment into a decoder and you will immediately see the raw JSON claims: the subject, issuer, expiration timestamp, and any custom fields your authentication server is sending. This is genuinely useful when a session is behaving unexpectedly and you want to verify what the token actually contains without spinning up a debugger.
  3. SMTP and email attachment headers. The MIME standard relies heavily on Base64 for encoding email attachments. When an email client reports a corrupted attachment, the raw message source will show you the encoded block. A decoder lets you inspect the first few bytes to confirm whether the Content-Transfer-Encoding header matches the actual encoding used — a mismatch is a common source of corruption that is invisible until you decode it manually.

Base64 vs. Base64URL: The Variant That Trips People Up

Standard Base64 uses + and / as its 62nd and 63rd characters, with = for padding. These characters are not URL-safe. A standard Base64 string placed directly in a query parameter or a URL path segment will break, because + means a space in application/x-www-form-urlencoded encoding and / is a path delimiter.

Base64URL solves this by substituting - for + and _ for /, and it typically omits the trailing = padding entirely. JWTs, OAuth 2.0 PKCE code challenges, and most modern web authentication standards use Base64URL, not standard Base64. A decoder that does not handle both variants will silently produce garbage output or throw an error, and you will waste time suspecting the wrong layer of your stack. When selecting a Base64 tool, verify explicitly that it supports both modes and makes the distinction obvious.

Encoding Binary Files: Where Most Online Tools Fall Short

Text encoding is easy. Binary file encoding is where tool quality diverges. If you need to encode a PDF, a compiled binary, or a raw image buffer, the tool must handle arbitrary byte values without mangling the data. Text-mode tools that process input as UTF-8 strings will corrupt any byte sequence that is not valid UTF-8 — which covers most binary file formats.

A properly built Base64 encoder reads input as raw bytes, not as a text string. The difference is invisible when encoding ASCII text, which is why many developers never notice until they try to encode a PNG and discover the decoded output does not match the original. If your workflow involves binary files, test any tool you plan to rely on by encoding a small known binary, decoding the result, and comparing a checksum. If the SHA-256 hashes match, the tool is handling binary correctly.

Practical Tips That Save Debugging Time

  • Watch for whitespace in encoded output. Many servers, email clients, and code generators insert line breaks every 76 characters per the MIME specification. When you copy an encoded string from an email source and paste it into a decoder, strip line breaks first. Unexpected whitespace is responsible for a significant share of "invalid Base64" errors.
  • Padding errors are almost always a variant mismatch. If a decoder complains about incorrect padding, check whether the string uses Base64URL encoding with omitted = signs. Add the padding back (% of 4 determines how many = to append) or use a decoder with automatic padding correction.
  • The encoded output of identical input is always identical. Base64 is deterministic. If two encoded strings differ, the inputs differed — even if only by a single trailing newline or a different line ending convention. This property makes Base64 encoding useful as a quick sanity check when comparing data across systems.
  • Do not encode already-encoded data. Double-encoding is a common mistake in automation pipelines where a Base64 step is applied before a step that was already handling encoding internally. The result is valid Base64 that decodes to more Base64, which is annoying to unwind and usually indicates a configuration error in the pipeline.

Security Considerations You Cannot Afford to Ignore

Because Base64 looks like random noise to the untrained eye, it can create a false sense of security. Sensitive data — API keys, private keys, passwords, personal information — encoded in Base64 and stored in a public repository or transmitted over HTTP is fully exposed. Anyone who sees the string can decode it in seconds using any Base64 tool. Encoding is not a substitute for encryption.

There is one legitimate security-adjacent use case: some systems transmit secrets encoded in Base64 simply to avoid character encoding issues in transit. This is acceptable as long as the transport layer is properly secured (TLS 1.2 or higher) and the encoded value is never logged in plaintext. The encoding is there to protect against character corruption, not against interception.

Choosing the Right Tool for Production Pipelines

For one-off debugging and inspection, a browser-based encoder/decoder is perfectly adequate. For anything that runs on a schedule or in a CI/CD pipeline, use the command-line alternatives that ship with your operating system. On macOS and Linux, base64 is available natively. On macOS specifically, note that base64 -D is the decode flag, while Linux uses base64 -d. This small difference has caused more than a few cross-platform shell script failures.

For Node.js environments, Buffer.from(str, 'base64').toString('utf8') decodes, and Buffer.from(str).toString('base64') encodes. Python offers base64.b64encode() and base64.b64decode(), with base64.urlsafe_b64encode() for the URL-safe variant. Knowing these native equivalents means you can verify an online tool's output against a local implementation whenever correctness is critical — which, in production, it always is.

Disclaimer: This article is for general informational and educational purposes only and does not constitute professional, financial, medical, or legal advice. Results from any tool are estimates based on the inputs provided. Always verify important details and consult a qualified professional before making decisions.