Does Base64 encoding encrypt my data?

No. Base64 is an encoding scheme, not encryption. Anyone who has the Base64 string can decode it back to the original data instantly — no key or password needed. It's designed purely to make binary data safe for text-based transport, not to hide it. For actual security, use AES or similar encryption before (or instead of) Base64 encoding.

Why does my Base64 output end with one or two equal signs?

Base64 groups input bytes in sets of three. When the input length isn't divisible by three, the encoder pads the final group with one or two '=' characters to fill the 4-character output block. One '=' means one padding byte was added; '==' means two. The padding has no data content — it's purely a structural marker. URL-safe mode typically strips these pads since modern decoders can infer the length.

What's the difference between standard Base64 and URL-safe Base64?

Standard Base64 uses '+' and '/' as the 62nd and 63rd characters in its alphabet. Both are special characters in URLs — '+' decodes as a space in query strings, and '/' is a path separator. URL-safe Base64 (RFC 4648 §5) replaces them with '-' and '_' respectively, making the output safe to embed in URLs, filenames, and HTTP headers without percent-encoding. JWTs use URL-safe Base64 exclusively.

Why does Base64 increase file size by about 33%?

Base64 converts every 3 bytes of input into 4 ASCII characters. That's a 4/3 ratio, which equals roughly 133% of the original size — a 33% overhead. If you enable line-wrapping at 76 characters, newline characters add a small amount on top of that. This overhead is the trade-off for guaranteed ASCII-safe output; it's why Base64 is appropriate for payloads that need text-safe transport, but you wouldn't use it for general-purpose compression.

Can I use this tool to decode a JWT token?

Yes. A JWT has three Base64URL-encoded sections separated by dots. Take the second section (the payload, between the first and second dot) and paste it into the Decode tab. The decoder auto-handles URL-safe characters and will output the JSON claims object — including the user ID, expiry time, roles, and any custom claims. Note that the signature (third section) is a cryptographic hash, not readable JSON, but it will decode to binary bytes.

What happens when I encode a file — does it get uploaded anywhere?

Nothing is uploaded. The File tab uses the browser's FileReader API to read the file into memory locally, then processes it with JavaScript running entirely on your device. The Base64 output is computed in-browser and displayed without any network request. This makes the tool safe to use with sensitive files like private keys, certificates, or confidential documents.

Base64 Encoder / Decoder

🔐 Base64 Encoder / Decoder

Convert text or files to/from Base64 — URL-safe mode, live byte count, full Unicode support

URL-safe mode (replace +/= with -_) Line-wrap at 76 chars

Input Text

Input: 0 bytes

Output: 0 chars

Ratio: —

Result will appear here…

What Base64 Actually Does — and Why Developers Reach For It Daily

If you've spent any time poking around HTTP headers, JWT tokens, or email attachments, you've run into Base64. It looks like noise — a wall of letters, numbers, plus signs, and equal signs — but there's a precise system underneath. Understanding that system makes you a sharper developer, because you'll know exactly when to use it and when it's overkill.

Base64 encodes binary data as a sequence of printable ASCII characters. That sounds abstract, so here's the concrete problem it solves: many text-based protocols (SMTP for email, JSON in REST APIs, HTML data: URIs) were never designed to carry raw binary. A stray null byte or a carriage-return/line-feed pair can corrupt the payload or terminate a field early. Base64 sidesteps all of that by mapping every 3 bytes of binary data into 4 characters drawn from a 64-character alphabet (A–Z, a–z, 0–9, +, /). The output is always printable, always transmission-safe.

The Encoding Process, Step by Step

Take the three ASCII bytes for the word "Man": M = 77, a = 97, n = 110. Written in binary that's three 8-bit groups — 01001101, 01100001, 01101110 — giving you 24 bits total. Base64 regroups those same 24 bits into four 6-bit chunks: 010011, 010110, 000101, 101110. Each chunk maps to an index (19, 22, 5, 46), and those indices point to characters in the Base64 alphabet: T, W, F, u. So "Man" becomes "TWFu". Every time.

When the input length isn't a multiple of three, padding kicks in. A single leftover byte becomes two Base64 characters followed by "==". Two leftover bytes become three characters and a single "=". That's the only purpose of those trailing equal signs — they're padding, not part of the data.

Using the Encoder: Text and Unicode

Open the Encode tab and paste any text into the input field. Hit "Encode to Base64" and the result appears instantly in the output box. The byte counter updates live as you type, showing you the UTF-8 byte size of your input — which matters because a single emoji or Devanagari character can be 3–4 bytes, not one.

The tool handles full Unicode correctly. Internally it runs encodeURIComponent then unescape before calling btoa, which is the standard browser-safe trick to convert multibyte characters into their UTF-8 byte sequences before Base64 encoding. This means you can encode an API response containing Japanese text, Cyrillic, or Arabic without getting garbled output on the other end.

The ratio badge tells you how much the output grew. Base64 always expands by roughly 33% — 3 input bytes produce 4 output characters. If you see a ratio of 133% you know things are working correctly.

URL-Safe Mode: When Standard Base64 Breaks URLs

Standard Base64 uses + and /, both of which are reserved characters in URLs. If you embed a standard Base64 string in a query parameter without careful percent-encoding, the + gets interpreted as a space and the / can be read as a path separator. Things break quietly.

Check the "URL-safe mode" box before encoding. The tool swaps + for -, / for _, and strips the trailing = padding. The result is a string you can drop directly into a URL, a filename, or a JWT header without any extra encoding step. This variant is sometimes called Base64URL and is defined in RFC 4648 §5. JWTs use it for all three of their dot-separated sections: header, payload, and signature.

The decoder tab accepts both formats — it auto-detects URL-safe characters and normalizes them before decoding, so you don't need to manually swap them back.

Decoding: Verifying Tokens and Inspecting Payloads

Switch to the Decode tab and paste any Base64 string. The tool first attempts to decode it as valid UTF-8 text — useful for JWTs, Basic Auth headers, or any text payload. If the decoded bytes aren't valid UTF-8 (meaning the source was a binary file, an image, or a certificate), the tool detects this and shows a byte count with a "Download decoded file" button, so you can save the binary without corruption.

A practical example: grab the middle section of any JWT (the part between the first and second dots), paste it into the decode tab, and hit decode. You'll see the JSON claims object — sub, iat, exp, roles — in plain text. This is exactly how developers inspect tokens during debugging without reaching for an external service that might log your production tokens.

File Encoding: Images, PDFs, and Binary Data

The File tab accepts any file via drag-and-drop or the file picker. Once you select a file, the tool reads it as an ArrayBuffer in the browser — no upload to any server happens at any point. Click "Encode File to Base64" and you get the Base64 representation of the raw bytes.

This is directly useful for embedding small images in CSS or HTML without a separate network request: background-image: url("data:image/png;base64,iVBORw0KGgo..."). It's also how you'd prepare a PDF attachment for a Mailgun or SendGrid API call, which expects the file content as a Base64 string in a JSON field rather than a multipart form upload.

The line-wrap option inserts a newline every 76 characters. Some older systems — particularly MIME email parsers and PEM certificate formats — require this wrapping. PEM files (the ones that start with -----BEGIN CERTIFICATE-----) are literally Base64 with 64-character line wrapping sandwiched between header/footer markers.

Common Mistakes and How to Spot Them

The most frequent decoding error is whitespace. If you copy a Base64 string from a PDF viewer or a terminal that wrapped the line, invisible newlines end up in the string. The decoder strips whitespace automatically before processing, which saves you from that class of bug.

Another common mistake is double-encoding — taking something already in Base64 and encoding it again. The output is valid Base64 but decoding it once gives you Base64, not your original data. If your decoded output looks like more Base64, that's your diagnostic clue: run it through the decoder a second time.

Finally, watch the padding. If you manually trim or truncate a Base64 string, the decoder will throw an "Invalid Base64" error because the 4-character group structure is broken. The URL-safe mode strips padding intentionally and the decoder knows how to restore it, but arbitrary trimming is not recoverable without knowing the original length.

Where Base64 Shows Up in Real Codebases

Once you know what Base64 looks like, you see it everywhere: Basic Authentication headers send username:password as Base64 (this is not encryption — anyone with the header can decode it instantly, which is why HTTPS is non-negotiable for Basic Auth). SSH public keys end in a long Base64 blob. Environment variables in CI/CD pipelines often store entire JSON service-account files as Base64 so the whole thing fits in a single variable. CSS data URIs for inline SVGs. WebSocket handshake nonces. The list is long.

This encoder/decoder runs entirely in your browser using the Web Crypto-adjacent btoa and atob APIs, with a Unicode shim on top. Nothing leaves your machine, which matters when the text you're encoding is an API key, a private certificate, or a credentials payload you'd rather not send across the network to an unknown server.