WebUtils
ENKO

Developer Workflow

Base64 decode an API payload

Learn how to decode Base64 API fields, inspect UTF-8 text safely, and avoid confusing encoding with encryption.

Open Base64 Encoder Decoder

Problem

Base64 is often used to transport text or binary data through JSON, URLs, and headers. It makes data look opaque, but it is only an encoding format and can often be decoded directly.

When to use this

  • A JSON field contains a long encoded value.
  • A webhook payload stores metadata as Base64 text.
  • A cookie or header needs to be inspected during local debugging.

Steps

  1. Step 1

    Identify whether the value is plain Base64

    Check for typical Base64 characters and padding. If the value appears inside a URL, decode URL encoding first.

  2. Step 2

    Decode as UTF-8 text

    Paste the value into the Base64 decoder and inspect whether the result is readable text, JSON, XML, or another structured format.

  3. Step 3

    Format the decoded result

    If the decoded output is JSON or another structured format, format it before debugging field names and nested values.

  4. Step 4

    Do not treat Base64 as secret protection

    Base64 is reversible. Do not rely on it to protect credentials, access tokens, or private data.

Example

Base64 encoded JSON metadata

Input

eyJldmVudCI6InBheW1lbnQuc3VjY2VlZGVkIiwiaWQiOiJldnRfMTIzIiwidGVuYW50IjoiYWNtZSJ9

Output

{
  "event": "payment.succeeded",
  "id": "evt_123",
  "tenant": "acme"
}

Common mistakes

Confusing Base64URL with Base64

JWT segments and some URL-safe values use Base64URL, which replaces characters and may omit padding.

Assuming unreadable decoded bytes are broken

Some Base64 values represent binary data, not text. A non-readable result does not always mean decoding failed.

FAQ

Is Base64 encryption?

No. Base64 is encoding, not encryption. Anyone with the encoded value can decode it.

Why does Base64 decoding sometimes produce strange characters?

The original data may be binary, compressed, encrypted, or encoded with a character set other than UTF-8.

Should I decode production secrets?

Only decode secrets in a controlled local environment and avoid pasting them into tickets, screenshots, or shared documents.