Free tool · Runs in your browser

Base64 Encoder / Decoder

Encode and decode Base64 with correct Unicode, the URL-safe alphabet, padding and line-wrap control, and full file / data-URI support. Edit either side and it converts instantly. Nothing is uploaded.

Alphabet
Text
13 bytes
Base64
20 chars

What is Base64?

Base64 is a way to represent binary data using 64 printable ASCII characters (A-Z, a-z, 0-9, and two symbols). It lets bytes - images, keys, anything - travel safely through channels that only handle text, like JSON, URLs, HTML, or email.

It is not compression and it is not encryption. In fact Base64 makes data about 33% larger; its only job is to survive text-only transport intact.

How it works

Base64 takes 3 bytes (24 bits) and splits them into 4 groups of 6 bits, then maps each 6-bit value (0-63) to a character. When the input is not a multiple of 3 bytes, = padding fills the gap - one = means 2 bytes of input, two means 1.

InputBase64Note
ManTWFu3 bytes -> 4 chars, no padding
MaTWE=2 bytes -> one = pad
MTQ==1 byte -> two = pad

Standard vs URL-safe

Standard Base64 uses + and /, which have special meaning in URLs and filenames. URL-safe Base64 swaps them for - and _ and usually drops the = padding, so the result is safe to drop into a query string, a path, or a JWT. This tool decodes either form automatically.

Base64 is encoding, not encryption

This is the most important thing to know: Base64 provides zero confidentiality. Anyone can decode it instantly - there is no key and no secret. Never use it to "hide" passwords, tokens, or other secrets; for that you need real encryption. Base64 is only for transporting data, not protecting it.

The Unicode (UTF-8) gotcha

Many quick Base64 snippets call btoa() directly on a string, which throws on any non-Latin1 character - so btoa('café') or an emoji fails or corrupts. The fix is to encode the text to UTF-8 bytes first, then Base64 those bytes. This tool does that correctly, so accented characters, CJK, and emoji round-trip exactly.

Where Base64 is used

  • Data URIs - inline images, fonts, and SVGs directly in CSS or HTML.
  • Email (MIME) - attachments are Base64-encoded, wrapped at 76 characters.
  • JWTs - each part of a JSON Web Token is URL-safe Base64.
  • HTTP Basic auth - the user:password pair is Base64-encoded (not secured).
  • Embedding binary in JSON / XML - keys, certificates, small blobs.

Standard vs URL-safe Base64

AspectStandardURL-safe
Character for index 62+-
Character for index 63/_
Padding= (kept)= (often dropped)
Safe in URLs / filenamesNoYes
Base64 FAQ

Frequently asked questions

Type or paste your text in the Text pane to see the Base64 on the right, or paste Base64 in the Base64 pane to decode it back to text on the left. Both panes convert live as you edit. For files, switch to File mode.
A variant that replaces the + and / characters with - and _ (and usually drops = padding) so the result is safe to use in URLs, query strings, filenames, and JWTs. Toggle the URL-safe alphabet in this tool; decoding accepts either variant automatically.
No. Base64 is an encoding, not encryption - it provides no security at all and anyone can decode it instantly without a key. Never use Base64 to hide passwords or secrets; use real encryption for that. Base64 only makes binary data safe to transport as text.
The = characters are padding. Base64 works in groups of 3 bytes (4 characters); when the input length is not a multiple of 3, one or two = are added so the output length is a multiple of 4. URL-safe Base64 often omits the padding.
Switch to File mode and choose your image - the tool shows both the raw Base64 and a ready-to-use data: URI (data:image/png;base64,...) that you can paste straight into CSS or an <img> src. Everything happens in your browser; the file is never uploaded.
Because they call btoa() on the raw string, which only handles Latin1 and throws or corrupts on accents, CJK, or emoji. The correct approach is to convert the text to UTF-8 bytes first, then Base64-encode those bytes - which is what this tool does, so Unicode round-trips exactly.
Stop pasting secrets into web tools

Keep credentials on your own machine.

This tool runs entirely in your browser - nothing is uploaded. CtrlOps takes the same local-first approach to real secrets: SSH keys and server credentials stay encrypted on your device, never synced to a cloud.

Start instantly· No credit card· No sneaky autorenewals