Base64 Encoder / Decoder
Encode and decode Base64 with correct Unicode, the URL-safe alphabet, padding and line-wrap control, and full file / data-URI support. Edit either side and it converts instantly. Nothing is uploaded.
What is Base64?
Base64 is a way to represent binary data using 64 printable ASCII characters (A-Z, a-z, 0-9, and two symbols). It lets bytes - images, keys, anything - travel safely through channels that only handle text, like JSON, URLs, HTML, or email.
It is not compression and it is not encryption. In fact Base64 makes data about 33% larger; its only job is to survive text-only transport intact.
How it works
Base64 takes 3 bytes (24 bits) and splits them into 4 groups of 6 bits, then maps each 6-bit value (0-63) to a character. When the input is not a multiple of 3 bytes, = padding fills the gap - one = means 2 bytes of input, two means 1.
| Input | Base64 | Note |
|---|---|---|
| Man | TWFu | 3 bytes -> 4 chars, no padding |
| Ma | TWE= | 2 bytes -> one = pad |
| M | TQ== | 1 byte -> two = pad |
Standard vs URL-safe
Standard Base64 uses + and /, which have special meaning in URLs and filenames. URL-safe Base64 swaps them for - and _ and usually drops the = padding, so the result is safe to drop into a query string, a path, or a JWT. This tool decodes either form automatically.
Base64 is encoding, not encryption
This is the most important thing to know: Base64 provides zero confidentiality. Anyone can decode it instantly - there is no key and no secret. Never use it to "hide" passwords, tokens, or other secrets; for that you need real encryption. Base64 is only for transporting data, not protecting it.
The Unicode (UTF-8) gotcha
Many quick Base64 snippets call btoa() directly on a string, which throws on any non-Latin1 character - so btoa('café') or an emoji fails or corrupts. The fix is to encode the text to UTF-8 bytes first, then Base64 those bytes. This tool does that correctly, so accented characters, CJK, and emoji round-trip exactly.
Where Base64 is used
- Data URIs - inline images, fonts, and SVGs directly in CSS or HTML.
- Email (MIME) - attachments are Base64-encoded, wrapped at 76 characters.
- JWTs - each part of a JSON Web Token is URL-safe Base64.
- HTTP Basic auth - the user:password pair is Base64-encoded (not secured).
- Embedding binary in JSON / XML - keys, certificates, small blobs.
Standard vs URL-safe Base64
| Aspect | Standard | URL-safe |
|---|---|---|
| Character for index 62 | + | - |
| Character for index 63 | / | _ |
| Padding | = (kept) | = (often dropped) |
| Safe in URLs / filenames | No | Yes |
Frequently asked questions
Related developer tools
Keep credentials on your own machine.
This tool runs entirely in your browser - nothing is uploaded. CtrlOps takes the same local-first approach to real secrets: SSH keys and server credentials stay encrypted on your device, never synced to a cloud.
✓ Start instantly·✓ No credit card·✓ No sneaky autorenewals

