Does encoding make data secure?

No. Base64 is encoding, not encryption. Anyone can decode a Base64 string without a key. Do not use Base64 to obscure sensitive data. Use proper encryption if confidentiality is required.

Why does my decoded output show garbage characters?

Base64 decodes to raw bytes. If the original data was binary (an image, a compressed file), the decoded bytes are not valid UTF-8 text and will appear as garbage in a text box. The encoding is correct - the data just cannot be meaningfully displayed as text.

Base64 Encoder / Decoder

Convert UTF-8 text to Base64 and back in one click.

Output

About this tool

This Base64 encoder and decoder converts UTF-8 text to Base64-encoded output and back. It handles both standard Base64 (using + and /) and Base64url (using - and _, with optional padding omission) - the URL-safe variant normalizes - and _ before decoding so JWT segments and URL-embedded Base64 values decode correctly without manual character substitution. All processing happens locally in your browser using JavaScript's native btoa() and atob() functions with UTF-8 encoding applied via encodeURIComponent to correctly handle non-ASCII characters.

Real example

Input: {"sub":"user-42","role":"admin"}

Base64 encoded output: eyJzdWIiOiJ1c2VyLTQyIiwicm9sZSI6ImFkbWluIn0=

This is the exact format used in JWT payload segments. A JWT token like eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyLTQyIn0.sig has three dot-separated parts - header, payload, and signature - each Base64url-encoded. Paste any segment here to read its contents. The trailing = padding may be absent in JWT segments (Base64url allows padding omission) - the decoder handles both cases. For full JWT inspection including all claims, use the JWT Decoder which processes all three segments at once.

Common use cases

JWT segment inspection: JWT tokens are three Base64url-encoded segments separated by dots. Copy the header or payload segment (between the dots) and decode it here to read the JSON claims - algorithm, subject, expiration, issued-at, and any custom claims. This is the fastest way to inspect a JWT without installing a separate tool.
HTTP Basic Auth credential encoding: The Authorization header for HTTP Basic Auth requires Base64(username:password). Type username:password in the input and click Encode to produce the value that goes after Basic in the header. Use this when testing APIs that require Basic Auth without writing code.
Inspecting Base64-encoded log values: Application logs and SIEM events often contain Base64-encoded fields (event payloads, serialized objects, embedded tokens). Paste the encoded string here to decode it and read the underlying value without needing to write a script.
Encoding binary data representations: Before embedding binary data in a JSON payload or environment variable, encode it to Base64 to make it a safe ASCII string. Copy the encoded output directly into your config or API request body.

How it works

Encoding: the input string is passed through encodeURIComponent() then unescape() to convert it to a byte representation where each character maps to a single byte, then btoa() produces the standard Base64 string. This correctly handles multi-byte UTF-8 characters (accented letters, emoji, CJK characters) that btoa() alone cannot handle. Decoding: the input is first normalized - - is replaced with + and _ with / to handle Base64url input - then atob() decodes it, and decodeURIComponent(escape()) reverses the byte-to-character mapping to restore the original UTF-8 string.

Common mistakes

Decoding with whitespace or line breaks: Base64 strings copied from emails, certificates, or multi-line encoded values often contain newlines or spaces. These cause atob() to throw an "invalid character" error. Trim the input before decoding - the tool's Decode button automatically trims leading and trailing whitespace from the input.
Encoding binary files instead of text: This tool is designed for text (UTF-8) encoding. Binary files (images, PDFs, compiled binaries) cannot be pasted as text - the copy operation loses non-printable bytes. For file-to-Base64 conversion, you need a tool that reads file bytes directly, such as the Hash Generator & Encoders.
Expecting encryption from encoding: Base64 is not encryption - it is a reversible encoding that converts binary data to ASCII text. Anyone who sees a Base64 string can decode it instantly. Do not use Base64 to obscure sensitive values; use proper encryption instead.

FAQ

Does this support Base64url (JWT-style) decoding
Yes. The decoder automatically converts Base64url characters (-->+ and _->/) before decoding, so JWT payload and header segments decode correctly without needing to manually substitute characters.

What is the difference between Base64 and Base64url
Standard Base64 uses +, /, and = padding. These characters have special meaning in URLs, so Base64url replaces + with - and / with _, and typically omits the = padding. JWTs, OAuth tokens, and URL-embedded encoded data all use Base64url. Standard Base64 is used in MIME email encoding, PEM certificates, and most other contexts.

Can I decode multi-line Base64 (like PEM certificates)
Yes. PEM certificate blocks are Base64-encoded with line breaks every 64 characters. Paste the content between the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- lines (without the headers) and decode it. The output will be binary certificate data represented as text, which may not be fully readable but confirms the content is decodable.

Is my data sent anywhere
No. Encoding and decoding use JavaScript's built-in btoa() and atob() functions running locally in your browser. Nothing is transmitted to any server.

Related tools

JWT Decoder — decode full JWT tokens — all three Base64url-encoded segments at once
JSON Formatter — format the JSON payload after decoding a Base64-encoded response body
Hash Generator — hash data before encoding it, or verify a Base64-encoded hash digest
URL Parser — parse URLs that contain Base64-encoded query parameters