Base64 Encode / Decode

Convert text to Base64 or decode Base64 back to readable text. Great for API debugging, tokens, and data encoding.

0
Characters
Mode
Encode → Base64

Input

Paste plain text to encode, or Base64 to decode. Runs locally in your browser.

Relevant tools

Browse all →

Quick internal links for common developer workflows.

JSON Formatter
Beautify + validate JSON responses.
URL Encoder / Decoder
Safely encode query strings and URLs.
JWT Decoder
Inspect JWT headers/payloads quickly.
Hash Generator
Generate hashes for strings.
HTML Entity Converter
Encode/decode HTML entities.
UUID Generator
Create UUIDs for testing.

What is Base64 Encoding?

Base64 is a binary-to-text encoding scheme that converts binary data into a string of ASCII characters using only 64 safe characters (A-Z, a-z, 0-9, +, and /). The name "Base64" comes from this character set size—it's a base-64 numeral system representation of binary data.

When you encode data as Base64, every 3 bytes (24 bits) of input gets converted into 4 ASCII characters (24 bits represented as 6-bit chunks). This makes the output about 33% larger than the original, but crucially, it can pass through text-only systems without corruption. You'll see Base64 used for email attachments (MIME encoding), embedding images in HTML/CSS (data URLs like data:image/png;base64,...), transmitting binary data in JSON or XML APIs, and encoding authentication credentials in HTTP headers.

Unlike encryption or hashing, Base64 doesn't secure your data—it simply reformats it. Anyone can decode Base64 back to the original content instantly. Think of it as translating between languages rather than locking content in a safe. For actual security, you need encryption algorithms like AES-256 or RSA, not Base64 encoding.

When to Use Base64 Encoding

You'll reach for Base64 when embedding small images directly in CSS or HTML files—instead of separate image files requiring HTTP requests, you can inline them as data:image/png;base64,iVBORw0KGgo... This reduces page load latency for icons and small graphics (under 10KB). API developers use Base64 for encoding binary file uploads in JSON payloads since JSON doesn't handle raw binary data—a PDF or image file gets converted to Base64 text, sent in a JSON field, then decoded server-side. Authentication systems encode username:password pairs as Base64 for HTTP Basic Authentication headers (though this isn't secure without HTTPS). Email systems have relied on Base64 since the 1990s for attaching files to text-based SMTP messages (check any email source and you'll see Base64 chunks). Developers debugging JWTs (JSON Web Tokens) decode the header and payload sections, which are Base64URL-encoded. Configuration files sometimes store binary data or secrets as Base64 strings to avoid parsing issues with special characters. If you're working with cryptographic keys, certificates, or signatures, you'll constantly see Base64-encoded PEM format (-----BEGIN CERTIFICATE-----).

Common Base64 Mistakes to Avoid

The biggest error is treating Base64 as encryption. Someone encodes their API key or password as Base64 thinking it's "hidden," but anyone can decode it in seconds. Base64 provides zero security—it's just a different representation of the same data. If you need actual protection, use encryption libraries or secure key management systems, not Base64.

Another frequent mistake happens when copying Base64 strings from logs or terminals—accidental whitespace gets included. Line breaks, spaces, tabs at the beginning or end will cause "Invalid Base64" errors. Before decoding, strip all whitespace. Most decoders tolerate whitespace within the string (Base64 email encoding adds line breaks every 76 characters), but leading/trailing whitespace often breaks things.

People also confuse standard Base64 with URL-safe Base64. Standard uses + and / characters, which need percent-encoding in URLs (%2B and %2F). URL-safe Base64 replaces these with - and _ so you can safely embed encoded data in query parameters or path segments. If you're decoding Base64 from a URL and getting errors, try swapping - for + and _ for /, or use a URL-safe decoder. Similarly, padding (= characters at the end) is sometimes omitted in URL-safe variants, causing decode failures if your decoder expects proper padding.

Developers sometimes try encoding huge files (multiple megabytes) as Base64 for transmission in JSON APIs or data URLs. Remember Base64 increases size by 33%—a 3MB image becomes 4MB. Modern browsers can handle reasonably-sized data URLs, but embedding a 10MB video as Base64 will bloat your HTML and kill performance. For large files, use proper file upload mechanisms (multipart/form-data) or cloud storage with URLs, not Base64 embedding.

How Base64 Encoding Works Step-by-Step

Let's encode the text "Hi!" to understand the process. First, convert each character to its binary representation using UTF-8 encoding:

Step 1: "H" = ASCII 72 = binary 01001000
Step 2: "i" = ASCII 105 = binary 01101001
Step 3: "!" = ASCII 33 = binary 00100001
Combined: 010010000110100100100001 (24 bits total)

Step 4: Split the 24 bits into four 6-bit groups:
010010 | 000110 | 100100 | 100001

Step 5: Convert each 6-bit group to decimal:
010010 = 18 | 000110 = 6 | 100100 = 36 | 100001 = 33

Step 6: Map each decimal value to the Base64 character set:
18 = S | 6 = G | 36 = k | 33 = h

Result: "Hi!" encodes as "SGkh"

If the input isn't a multiple of 3 bytes, padding gets added. For example, "Hi" (2 bytes = 16 bits) needs padding to reach 24 bits. The encoder adds zero bits, then appends = characters to signal padding: "Hi" becomes "SGk=". One = means one byte of padding; two == means two bytes. When decoding, the decoder strips the padding and reconstructs the original binary data, then converts it back to text using UTF-8 or whatever character encoding was used originally. The Base64 character set (A-Z, a-z, 0-9, +, /) gives 64 possible values (2^6), which is why we use 6-bit chunks—each chunk maps to exactly one Base64 character.

Pro Tips for Working With Base64

When embedding images as data URLs in CSS or HTML, only do this for small assets under 5-10KB like icons, logos, or UI elements. Larger images should load from separate files so browsers can cache them across pages. A 50KB Base64-encoded image bloats your HTML and prevents caching—the browser re-downloads it every page load. For critical above-the-fold images, data URLs can improve initial render speed, but use them sparingly.

If you're decoding Base64 in production code, always validate the input length and format before attempting to decode. A malformed or extremely long Base64 string could crash your application or consume excessive memory. Set reasonable size limits (like 10MB max for file uploads encoded as Base64) and sanitize input. Attackers sometimes try injecting massive Base64 payloads to trigger denial-of-service conditions.

For URL-safe encoding, use libraries that handle the character substitution automatically (most languages have base64url_encode functions). Don't manually replace + with - after encoding—use the URL-safe encoder from the start to avoid edge cases. In JavaScript, you can implement URL-safe Base64 by encoding normally then replacing: encoded.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '') for encoding, and reversing the process for decoding.

When debugging API responses containing Base64, use a tool like this to quickly decode and inspect the content rather than staring at gibberish characters. Many logs and debugging tools don't automatically decode Base64, so you'll see long encoded strings without knowing what they contain. Copy, decode, and you might find JSON data, error messages, or binary file metadata that helps troubleshoot issues.

Base64 Standards and Variants

The original Base64 specification appears in RFC 4648 (published October 2006), which defines the standard 64-character alphabet and padding rules. This document updated and consolidated earlier specifications scattered across various RFCs. Standard Base64 uses A-Z (values 0-25), a-z (26-51), 0-9 (52-61), plus + (62) and / (63), with = as the padding character.

RFC 4648 also defines the "base64url" variant specifically for URLs and filenames. It replaces + with - (hyphen) and / with _ (underscore), eliminating characters that require percent-encoding in URLs. Padding (=) is often omitted in base64url since = also needs encoding in URLs. JWT tokens use base64url for their three period-separated segments because these tokens frequently appear in URLs and HTTP headers.

Before Base64, MIME (Multipurpose Internet Mail Extensions) encoding used a similar scheme defined in RFC 2045 (1996). MIME Base64 is functionally identical to standard Base64 but includes rules about line length—encoded data should break into lines of at most 76 characters for email compatibility. Modern Base64 implementations generally follow RFC 4648 and handle MIME line breaks transparently during decoding.

Other encoding schemes exist for different purposes: Base32 uses only 32 characters (avoiding ambiguous characters like O/0 and I/l), making it suitable for case-insensitive systems and human-readable tokens. Base85 (also called Ascii85) achieves better efficiency than Base64 (25% overhead vs 33%) and is used in PDF files and version control systems like Git. Base64 remains the most widely supported and is effectively the standard for binary-to-text encoding across the web and software development.

Standards Documentation and Resources

The authoritative specification for Base64 encoding is RFC 4648: The Base16, Base32, and Base64 Data Encodings, published by the Internet Engineering Task Force (IETF) in October 2006. This document defines the standard alphabet, encoding procedure, padding rules, and URL-safe variant used across modern software systems.

For email applications, RFC 2045: MIME Part One specifies Content-Transfer-Encoding for email attachments, including Base64 with line length restrictions. The World Wide Web Consortium (W3C) references Base64 encoding in data URL specifications and various web standards documents.

Programming language implementations follow these RFCs closely. The MDN Web Docs provide comprehensive documentation for JavaScript's btoa() and atob() functions, including Unicode handling considerations. For cryptographic applications involving Base64-encoded keys and certificates, consult the National Institute of Standards and Technology (NIST) publications on cryptographic standards and OpenSSL documentation for PEM format specifications.

Frequently Asked Questions

What is Base64 used for?

Base64 transforms binary data or text into ASCII-safe characters that won't break when transmitted through systems expecting plain text. You'll see it in email attachments (MIME encoding), data URLs for embedding images directly in HTML/CSS (like data:image/png;base64,...), authentication tokens in HTTP headers, and API responses containing binary files. It's the go-to solution whenever you need to send binary content through text-only channels like JSON, XML, or URLs.

Is Base64 encryption?

Nope, it's just encoding. Anyone can decode Base64 back to the original data instantly—there's no key, no secret. Think of it like translating English to Spanish and back; it changes the format but doesn't hide the meaning. Don't use Base64 to protect passwords, API keys, or sensitive data. If you need actual security, use encryption (AES, RSA) or hashing (SHA-256) instead.

Why does decoding fail with 'Invalid Base64'?

Usually happens when the string is corrupted or incomplete. Common culprits: missing padding characters (the = signs at the end), accidentally including line breaks or spaces when you copied it, using URL-safe Base64 (which swaps + and / for - and _), or the string got truncated. Try removing any whitespace first. If you're working with URL-safe Base64, you'll need a decoder that handles that variant specifically.

Does this tool upload my data?

Everything runs locally in your browser—no server uploads, no network requests for the conversion itself. Your input and output never leave your device. We don't log or store what you encode or decode. That said, if you later add analytics (like Google Analytics), those services might see page views and usage stats, so update this notice if that changes.

Can I encode Unicode (emoji / non-English) text?

Yeah, this tool converts Unicode to UTF-8 bytes before encoding, so emoji, Chinese characters, Arabic script—whatever—will encode correctly. When decoding, it reverses the process and gives you back the original Unicode text. Just be aware that Base64 output will be larger than the original UTF-8 byte count (about 33% bigger) because it uses only 64 safe ASCII characters to represent 256 possible byte values.

What's the difference between standard and URL-safe Base64?

Standard Base64 uses + and / characters, which have special meaning in URLs and need escaping (%2B and %2F). URL-safe Base64 replaces those with - and _ so you can stick the encoded string directly in URLs without encoding issues. The padding (=) sometimes gets dropped in URL-safe variants too. If you're decoding something from a URL and getting errors, try a URL-safe Base64 decoder instead.

How much larger does Base64 make my data?

About 33% bigger. Every 3 bytes of input becomes 4 bytes of Base64 output because Base64 uses 6 bits per character instead of 8. So a 300-byte image becomes roughly 400 bytes when Base64-encoded. For small files this doesn't matter much, but encoding a 5MB file will turn it into nearly 6.7MB—worth considering if you're embedding large images as data URLs.

Can I decode Base64 that contains line breaks?

Usually yes. Most Base64 decoders (including this one) ignore whitespace like line breaks, spaces, and tabs. The original Base64 spec actually recommends adding line breaks every 76 characters for email compatibility. So if you paste a multi-line Base64 string, it should decode fine—just make sure the actual Base64 characters themselves aren't corrupted.

Tool Vault — Base64 Encode / Decode. Fast, private, and mobile-friendly.