Treating Base64 as secret protection
Base64 is reversible encoding, not encryption. Anyone who receives the value can decode it, so it does not protect passwords, API keys, cookies, or tokens.
Encode bounded UTF-8 text as standard Base64 or Base64URL, and strictly decode Base64, Base64URL, or Base64 data URIs in your browser.
Continue with a related workflow or open the next tool that usually follows this task.
Use this repeatable workflow for encoded JSON fields, webhook metadata, headers, cookies, and logs. It validates the alphabet and padding before decoding, preserves binary bytes for download, and keeps Base64 separate from encryption or signature verification.
OpenRelated toolHash UTF-8 text or exact file bytes and compare a full checksum locally.
OpenRelated toolBeautify or minify strict JSON locally while preserving duplicate keys and number text.
OpenRelated toolStrictly decode JWT structure and time claims locally without verifying the signature.
OpenChoose Encode for UTF-8 text or Decode for Base64, Base64URL, or a Base64 data URI.
For encoding, select Standard or URL-safe and keep padding unless the destination protocol explicitly permits omission.
For decoding, leave Auto detect selected or require one alphabet when validating an API contract.
Paste the value or load a text file, then run the conversion in Manual mode for deliberate review of large inputs.
Check byte count, detected alphabet, output type, and any whitespace, padding, or Data URI notices.
Copy readable text or Base64 output; for binary results, download the exact bytes instead of treating the hex preview as the original file.
Encode a multilingual string for a documented text-only API field, then compare the exact byte and character counts before sending it.
Decode copied JSON, webhook, or log fields and verify whether the result is readable text before formatting or redacting it.
Validate unpadded Base64URL segments and alphabet requirements without claiming that a JWT signature has been verified.
Decode data:text/plain;base64,... or another valid Base64 data URI while retaining its declared media type for download.
Recognize invalid UTF-8 or declared binary content, review a short hex preview, and save the complete decoded byte sequence.
Base64 is reversible encoding, not encryption. Anyone who receives the value can decode it, so it does not protect passwords, API keys, cookies, or tokens.
Standard Base64 uses + and /, while Base64URL uses - and _. Choose the alphabet required by the receiving protocol instead of replacing characters after the fact without validation.
Padding may be omitted only when a protocol permits it. A single misplaced = or non-zero trailing bits can produce a value that lenient decoders accept but strict systems reject.
Decoded bytes are not always text. Images, compressed data, encrypted data, and non-UTF-8 files must be downloaded as bytes rather than copied from a replacement-character preview.
Base64 expands payloads by roughly one third before JSON, HTML, or transport overhead. This tool limits decoded or encoded source data to 1,048,576 bytes to keep browser work bounded.
Encode the exact UTF-8 bytes with the standard alphabet and canonical padding.
Hello, 안녕하세요, 👋SGVsbG8sIOyViOuFle2VmOyEuOyalCwg8J+Riw==Auto-detect an unpadded Base64URL value and decode it as readable UTF-8 JSON text.
eyJzdGF0dXMiOiJvayIsImVtb2ppIjoi8J-nqiJ9{"status":"ok","emoji":"🧪"}RFC 4648 Base64 maps each three input bytes to four printable characters. The final quantum may require one or two = padding characters, so encoded output is usually about 33% larger.
Base64URL keeps the same six-bit values but substitutes - and _ for + and /. Padding is a separate protocol choice; URL-safe does not automatically mean every unpadded or mixed-alphabet string is valid.
Strict decoding checks the alphabet, length, padding position, and unused trailing bits, then re-encodes the bytes to confirm a canonical round trip.
ASCII spaces, tabs, and line breaks can be removed for wrapped payloads and are reported. Other Unicode whitespace and punctuation are rejected instead of being silently discarded.
Decoded bytes are interpreted as UTF-8 only when decoding succeeds without replacement and the result has no unsafe control bytes. Otherwise the page shows a bounded hex preview and downloads the untouched bytes.
No. Base64 only maps bytes to printable ASCII characters. Use authenticated encryption for confidentiality and HTTPS for transport; do not publish a value merely because it looks unreadable.
Standard Base64 uses + and / and commonly includes = padding. Base64URL uses - and _ and often omits padding. When decoding, Auto detect identifies alphabet-specific characters and reports when a payload contains only characters shared by both variants.
The decoder accepts canonical padded or unpadded input, restores only the mathematically required padding, and rejects misplaced padding, impossible lengths, mixed alphabets, and non-zero trailing bits.
If the bytes are not valid readable UTF-8, the output area shows at most 256 bytes as a hex preview. Download keeps every decoded byte with the Data URI media type when one was supplied, or application/octet-stream otherwise.
Yes, when the header ends in ;base64 and has a valid bounded media type. The tool separates the header, validates the payload, reports the declared media type, and uses it for the decoded download. Percent-encoded or non-Base64 data URIs must be handled separately.
Encoding accepts up to 1,048,576 UTF-8 bytes. Decoding accepts a canonical Base64 payload representing up to 1,048,576 bytes, with a small bounded allowance for ASCII whitespace and a Data URI header. The tool is text-oriented for encoding; arbitrary binary-file encoding belongs in a file workflow.
Maintained and tested by SimpleWebUtilsReviewed
Method: We replayed “Decode one Base64 API metadata field” in Base64 Encoder and Decoder, keeping the guide's input unchanged. “Choose or detect the alphabet” and “Format or inspect with the matching tool” defined the normal path; “Decoding the entire response” and “Treating replacement characters as original data” defined the boundary review before the output was accepted.
Expected result: The Base64 field decoded to the exact payment.succeeded JSON object, while malformed alphabet or padding input remained an explicit error instead of partial JSON.
Sources and standards
Use these focused guides when you need a practical workflow before opening the tool.
Use this repeatable workflow for encoded JSON fields, webhook metadata, headers, cookies, and logs. It validates the alphabet and padding before decoding, preserves binary bytes for download, and keeps Base64 separate from encryption or signature verification.
Workflow guideThis workflow uses the Cipher Learning Workbench to make XOR byte mechanics visible. You will reproduce a known vector, switch between Hex and Base64, reverse it with the same key, and document why the exercise must never be presented as protection for real secrets.
Workflow guideUse this workflow when an API, database field, DNS label, email body, configuration file, or legacy transport asks for Base32, Base58, Base62, Base85, hexadecimal, entities, Punycode, quoted-printable, UTF-16, or UUEncode but does not fully describe the variant.
Workflow guideUse the local file mode and explicit checksum comparison to confirm byte equality before trusting a release archive, backup, or installer. A match does not certify the publisher or prove that the file is malware-free.
Workflow guideUse this workflow when a login, API request, or permission check fails and you need to inspect token claims before changing auth code.
Workflow guideUse this workflow to determine whether a request occurred before nbf, at or after exp, or inside the stated token window, while documenting clock-skew policy and removing the raw token from shared evidence.
Continue with another maintained workflow
Hash UTF-8 text or exact file bytes and compare a full checksum locally.
Beautify or minify strict JSON locally while preserving duplicate keys and number text.
Strictly decode JWT structure and time claims locally without verifying the signature.
Encode exact text or a prepared URL, Wi-Fi, email, phone, SMS, or vCard payload as PNG or SVG.
Encode or decode exact URL components, full URLs, and form values locally.