Base64 Encoder / Decoder

How Base64 works

Base64 turns arbitrary bytes into a 64-character ASCII alphabet — A–Z, a–z, 0–9, +, and / — by packing three input bytes (24 bits) into four output characters (6 bits each). Every encoded output is roughly 4/3 the size of the input, padded with one or two = signs so the total length is a multiple of 4.

It's not encryption — anyone can decode it. The point is to safely transmit binary data through systems that only handle text: email bodies (MIME), data: URIs, JSON strings, basic-auth headers, JWT segments, cookies, etc.

URL-safe Base64

Standard Base64 uses + and /, which have special meanings in URLs. The URL-safe variant (RFC 4648 §5) replaces them with - and _ respectively, and usually drops the trailing = padding. JWTs use this variant: each header / payload / signature segment is URL-safe Base64 with no padding. Toggle URL-safe on the left to switch.

UTF-8 round-trip safety

JavaScript's built-in btoa() / atob() only handle Latin-1 — they choke on emoji, Chinese, Cyrillic, etc. This tool wraps them with encodeURIComponent + unescape on encode, and the inverse on decode, so any UTF-8 string round-trips correctly: "Hello 世界 🌍" → "SGVsbG8g5LiW55WMIPCfjI0=" → "Hello 世界 🌍". File uploads encode the raw bytes as-is via FileReader.readAsArrayBuffer — no UTF-8 reinterpretation, so binaries (PNG, PDF, ZIP) survive a round trip unchanged.

Common uses

• data: URIs — data:image/png;base64,iVBORw0… embeds a small image directly in HTML or CSS without a separate request.
• HTTP basic auth — Authorization: Basic dXNlcjpwYXNz is just user:pass Base64-encoded (always use HTTPS — Base64 is not a secret).
• JWT — header.payload.signature, each segment URL-safe Base64.
• API tokens / signed cookies — making opaque blobs cookie- and URL-safe.
• Email attachments — MIME wraps binary parts in Base64 with line breaks every 76 characters.

Use this tool to: decode a JWT payload, inspect a data: URI, prepare a basic-auth header, or just see what your file looks like in Base64.