What is Base64 encoding?

Base64 is a binary-to-text encoding scheme that converts binary data into a set of 64 ASCII characters. It's used to safely transmit data over text-based systems like email and URLs.

Yes. This tool runs entirely in your browser using JavaScript. Your data is never sent to any server.

Can I decode Base64 URLs?

Yes. Paste any Base64-encoded string and it will be decoded instantly, whether it came from a URL, email, or API response.

Does Base64 encoding encrypt my data?

No. Base64 is an encoding, not encryption — anyone can decode it back to the original. Never use Base64 to hide sensitive information; use a real hashing or encryption tool for that — try our Hash Generator or Bcrypt Generator.

Why does Base64 output end with `=`?

The `=` character is padding, added when the input length is not a multiple of 3 bytes. You will see one `=` for inputs ending 2 bytes into a group, or `==` for inputs ending 1 byte in. It is required by RFC 4648.

Standard Base64 uses `+` and `/`, which need escaping in URLs. RFC 4648 defines a URL-safe variant that replaces them with `-` and `_`. If you are passing Base64 in a query string, use the URL-safe form or URL-encode the result.

Base64 Decode & Encode Online — Free, Instant, Private

Decode or encode any Base64 string instantly — free, private, and runs entirely in your browser.

What Base64 is actually for

Base64 is a way to represent arbitrary binary data using only 64 printable ASCII characters. It exists because a lot of text-based systems — email headers, URLs, JSON payloads, XML attributes — can't safely carry raw bytes. A null byte, a newline, or a non-UTF-8 sequence might be stripped, reinterpreted, or crash the parser. Base64 sidesteps all of that by encoding 3 bytes into 4 characters from the safe alphabet A–Z a–z 0–9 + /.

You'll see Base64 everywhere once you start looking:

Data URIs — inline images in HTML and CSS: data:image/png;base64,iVBORw0KG.... Saves an HTTP request for small icons and SVG fonts.
Email attachments — MIME (RFC 2045) encodes binary attachments as Base64 so they survive mail servers that assume 7-bit text.
HTTP Basic Auth — the Authorization: Basic header is just base64(username:password). Trivially reversible.
JWTs — the three dot-separated segments of a JWT are all URL-safe Base64. Our JWT Decoder just splits on . and Base64-decodes each piece.
PEM keys and certificates — the -----BEGIN ... ----- block in an SSL cert or SSH key is Base64-encoded DER binary.

Base64 is encoding, not encryption

This is the single most important thing to know about Base64: anyone who can read the encoded string can decode it. There's no key, no secret, no math to reverse. dXNlcjpwYXNz decodes to user:pass in a single function call on any machine.

If you're tempted to "protect" a password, API token, or user PII by Base64-encoding it, stop. Use real cryptography: our Hash Generator for fingerprints, Bcrypt Generator for password storage, or a dedicated encryption library (libsodium, Web Crypto) for anything that needs to be genuinely private.

Standard vs URL-safe Base64 (RFC 4648)

RFC 4648 defines two Base64 alphabets:

Standard Base64 uses + and / as its last two characters, and pads the output with =. Fine for MIME and general data, but both + and / have special meanings in URLs.
URL-safe Base64 (base64url) substitutes - for + and _ for /, and usually drops the = padding. JWT segments use this variant.

If you're pasting a Base64 string into a URL without encoding it further, make sure it's the URL-safe variant — otherwise + will be interpreted as a space and / will be treated as a path separator.

Size overhead: the 33% rule

Base64 inflates data by roughly one third. The math is easy: every 3 input bytes become 4 output characters, so the ratio is 4/3 ≈ 1.333. A 10 KB image becomes about 13.3 KB when Base64-encoded. That's before any per-line newlines and the data:image/png;base64, prefix for data URIs.

That overhead is usually fine for small assets (icons, tiny images, one-off tokens) but gets painful at scale. Gzip and Brotli compress Base64 text reasonably well — often recovering most of the loss — but the safest rule is: if a file is bigger than ~10 KB, serve it as a real file instead of inlining it.

Common decoding gotchas

Missing padding. Some encoders drop trailing = characters. Strict decoders reject the input; tolerant ones pad it back automatically. This tool does the latter.
Embedded whitespace. MIME Base64 is line-wrapped at 76 characters with newlines. Most decoders ignore whitespace, but if you're debugging a custom implementation, check that you're stripping it before decoding.
Double encoding. If you're seeing %2B or %3D in your Base64 string, it was URL-encoded on top of Base64. URL-decode first, then Base64-decode. Our URL Encode/Decode tool handles the first step.
Wrong alphabet. If you're decoding JWT segments or OAuth tokens, you probably need URL-safe Base64 (-_), not standard (+/). This tool accepts both.

Related encoding tools on CodeBoxTools

Image to Base64 — drag-and-drop a PNG, JPEG, or SVG and get a ready-to-paste data URI.
URL Encode / Decode — for percent-encoding special characters in query strings and paths.
HTML Encode / Decode — converts &, <, >, and Unicode to entity references.
JWT Decoder — uses URL-safe Base64 internally, handy if you want to see a real-world example.

Base64 Decode & Encode Online