Base64 Encoder / Decoder
This free Base64 Encoder / Decoder converts plain text to Base64 and decodes Base64 strings back to readable text, right in your browser. It handles full UTF-8, so emoji, accented letters, and non-Latin scripts survive the round trip without turning into garbage. Whether you need to Base64 encode UTF-8 text for an API, inspect a token, or figure out how to decode a Base64 string you found in a config file, you can do it here in one click. Nothing is uploaded anywhere — the conversion runs entirely on your device.
How to Use
Start by picking a mode with the two large buttons at the top: "Encode to Base64" turns plain text into Base64, and "Decode from Base64" turns a Base64 string back into text. Paste or type your content into the input box (its title changes to "Text to encode" or "Base64 to decode" depending on the mode), then press the Encode or Decode button. The result appears in a Result card below, where a copy icon puts it on your clipboard instantly. After a conversion, a "Swap & Decode" / "Swap & Encode" button appears next to the main button; clicking it moves the output into the input and flips the mode, which is handy for verifying a round trip. If you leave the input empty, the tool asks you to enter some text, and if a Base64 string is malformed it shows an "Invalid Base64 string" message instead of producing nonsense.
Why This Tool Is Useful
Base64 shows up constantly in modern development — data URIs for inline images and fonts, Basic Auth and JWT-style tokens, email MIME parts, and many API payloads all lean on it. Reaching for a browser console or a quick script every time you need to peek at or build one of these is slow and error-prone, especially because the browser's built-in btoa/atob choke on non-ASCII characters. This tool removes that friction: it does the UTF-8 work for you, decodes in the same place, and lets you swap directions without re-typing. Because everything happens client-side, you can safely paste tokens or sensitive strings without worrying about them being logged on a server.
How to decode a Base64 string
Decoding is the reverse of encoding: you take the Base64 text and recover the original characters. To do it here, click "Decode from Base64", paste the Base64 string into the box, and press Decode. The decoded plain text appears in the Result card, ready to copy.
The tool trims leading and trailing whitespace before decoding, so a stray space or newline at the very start or end of what you paste will not break it. If the string genuinely is not valid Base64 — for example it contains characters outside the alphabet, has the wrong length, or still has line breaks in the middle — you will see an "Invalid Base64 string" message rather than a silent failure. If your Base64 was wrapped across multiple lines (common in certificates and email), join it back into one continuous line before decoding.
How to Base64 encode UTF-8 text correctly
Base64 itself only knows about bytes, not characters. That distinction matters the moment your text contains anything beyond plain ASCII — accented letters, currency symbols, emoji, or scripts like Arabic, Hindi, or Japanese. The naive browser approach of calling btoa() directly throws an error on those characters because it assumes every character fits in a single byte.
This tool encodes through a UTF-8 step first, so your text is converted to its proper byte sequence before being turned into Base64. That means café, €, 你好, and 🎉 all encode and decode cleanly. Full UTF-8 support is one of the main reasons to use this tool over a quick console hack.
- café encodes to a longer string than "cafe" because the é is two UTF-8 bytes
- Emoji and non-Latin scripts are fully supported in both directions
- A correct round trip (encode then decode) always returns your exact original text
- If you paste a Base64 string that was created without UTF-8 handling, multi-byte characters may decode incorrectly
Base64 is encoding, not encryption — is Base64 secure?
This is the single most important thing to understand about Base64: it provides no security whatsoever. Base64 is a reversible encoding, not encryption. There is no key, no password, and no secret involved — anyone who sees the Base64 string can decode it back to the original in seconds using this very tool or one line of code.
The purpose of Base64 is safe transport, not secrecy. It exists so that arbitrary binary or Unicode data can be carried through channels that were designed for plain ASCII text — URLs, email headers, JSON fields, HTML attributes — without being corrupted. Treating it as a way to "hide" passwords, API keys, or personal data is a serious and common mistake.
If you need actual confidentiality, you need real encryption (such as AES) or at minimum a proper hashing scheme for stored secrets. Use Base64 only to make data transmittable, never to protect it.
- No key or password is used, so it is trivially reversible
- Encoded does not mean encrypted, obfuscated, or safe to expose
- Use it for transport of binary/text data, not for storing secrets
- For confidentiality use encryption (AES) or password hashing instead
What the = padding at the end means
Base64 works in groups of three input bytes, which map to four output characters. When the final group has only one or two bytes left over, the output is padded with one or two equals signs (=) so the total length stays a multiple of four. So one leftover byte produces two characters plus "==", and two leftover bytes produce three characters plus "=".
The padding is structural, not part of your data. It simply tells a decoder how many real bytes were in that last group. You will see zero, one, or two equals signs at the very end of a Base64 string — never in the middle.
Standard Base64 versus URL-safe Base64
Standard Base64 uses an alphabet of A–Z, a–z, 0–9, plus the two symbols + and /. Those last two are a problem in some contexts: + and / have special meaning inside URLs and filenames, so passing a standard Base64 string in a query parameter can corrupt it.
URL-safe Base64 solves this by swapping + for - (minus) and / for _ (underscore). The data is identical; only those two characters change, and padding is sometimes omitted entirely. JWTs, for example, use URL-safe Base64 without padding for each segment.
This tool produces and reads standard Base64. If you are working with a URL-safe variant, replace - with + and _ with / before decoding here, and do the reverse on the output if you need a URL-safe result.
- Standard alphabet: A–Z a–z 0–9 + /
- URL-safe alphabet: A–Z a–z 0–9 - _ (and often no padding)
- JWT segments use URL-safe Base64 without trailing =
- Swap - to + and _ to / to convert a URL-safe string for use here
Why your decoded text looks garbled
If a decode produces strange symbols, question marks, or mojibake, the usual cause is a character-encoding mismatch. The bytes were decoded fine, but they were never UTF-8 text to begin with, or they were encoded by a tool that did not handle UTF-8 the way this one does.
Another frequent cause is that the input was not text at all. Base64 is often used to carry binary data — images, PDFs, fonts, compressed blobs. Decoding that back here will show unreadable bytes, because there is no readable text inside. This tool is built for text in and text out; it does not turn a Base64 string into a downloadable image or file.
To rescue an image, font, or other binary file from Base64, you need a dedicated base64-to-file or base64-to-image converter that returns the raw bytes as a download, not a text decoder like this one.
Base64 in every language: encode and decode cheat sheet
| Language / Tool | Encode | Decode |
|---|---|---|
| JavaScript | btoa(str) (ASCII only — wrap with encodeURIComponent for UTF-8) | atob(str) (then decodeURIComponent for UTF-8) |
| Python | base64.b64encode(data) | base64.b64decode(data) |
| CLI (Unix) | base64 | base64 -d |
| PHP | base64_encode($str) | base64_decode($str) |
| Java | Base64.getEncoder().encodeToString(bytes) | Base64.getDecoder().decode(str) |