Base64 Encoder and Decoder | UTF-8, Base64URL, and Data URIs

EncodingRuns in Your Browser (No Uploads)

Encode bounded UTF-8 text as standard Base64 or Base64URL, and strictly decode Base64, Base64URL, or Base64 data URIs in your browser.

What to do next

Continue with a related workflow or open the next tool that usually follows this task.

How to Use This Tool

Choose Encode for UTF-8 text or Decode for Base64, Base64URL, or a Base64 data URI.

For encoding, select Standard or URL-safe and keep padding unless the destination protocol explicitly permits omission.

For decoding, leave Auto detect selected or require one alphabet when validating an API contract.

Paste the value or load a text file, then run the conversion in Manual mode for deliberate review of large inputs.

Check byte count, detected alphabet, output type, and any whitespace, padding, or Data URI notices.

Copy readable text or Base64 output; for binary results, download the exact bytes instead of treating the hex preview as the original file.

When to Use This Tool

Prepare UTF-8 API values

Encode a multilingual string for a documented text-only API field, then compare the exact byte and character counts before sending it.

Inspect encoded API payloads

Decode copied JSON, webhook, or log fields and verify whether the result is readable text before formatting or redacting it.

Debug Base64URL protocol fields

Validate unpadded Base64URL segments and alphabet requirements without claiming that a JWT signature has been verified.

Inspect Base64 data URIs

Decode data:text/plain;base64,... or another valid Base64 data URI while retaining its declared media type for download.

Recover binary payload bytes

Recognize invalid UTF-8 or declared binary content, review a short hex preview, and save the complete decoded byte sequence.

Common Mistakes

Treating Base64 as secret protection

Base64 is reversible encoding, not encryption. Anyone who receives the value can decode it, so it does not protect passwords, API keys, cookies, or tokens.

Mixing standard and URL-safe alphabets

Standard Base64 uses + and /, while Base64URL uses - and _. Choose the alphabet required by the receiving protocol instead of replacing characters after the fact without validation.

Assuming every padding shape is valid

Padding may be omitted only when a protocol permits it. A single misplaced = or non-zero trailing bits can produce a value that lenient decoders accept but strict systems reject.

Forcing binary bytes into UTF-8 text

Decoded bytes are not always text. Images, compressed data, encrypted data, and non-UTF-8 files must be downloaded as bytes rather than copied from a replacement-character preview.

Embedding large payloads without checking size

Base64 expands payloads by roughly one third before JSON, HTML, or transport overhead. This tool limits decoded or encoded source data to 1,048,576 bytes to keep browser work bounded.

Examples

Encode multilingual UTF-8 text

Encode the exact UTF-8 bytes with the standard alphabet and canonical padding.

Input
Hello, 안녕하세요, 👋
Output
SGVsbG8sIOyViOuFle2VmOyEuOyalCwg8J+Riw==

Decode an unpadded Base64URL payload

Auto-detect an unpadded Base64URL value and decode it as readable UTF-8 JSON text.

Input
eyJzdGF0dXMiOiJvayIsImVtb2ppIjoi8J-nqiJ9
Output
{"status":"ok","emoji":"🧪"}

How strict Base64 validation works

RFC 4648 Base64 maps each three input bytes to four printable characters. The final quantum may require one or two = padding characters, so encoded output is usually about 33% larger.

Base64URL keeps the same six-bit values but substitutes - and _ for + and /. Padding is a separate protocol choice; URL-safe does not automatically mean every unpadded or mixed-alphabet string is valid.

Strict decoding checks the alphabet, length, padding position, and unused trailing bits, then re-encodes the bytes to confirm a canonical round trip.

ASCII spaces, tabs, and line breaks can be removed for wrapped payloads and are reported. Other Unicode whitespace and punctuation are rejected instead of being silently discarded.

Decoded bytes are interpreted as UTF-8 only when decoding succeeds without replacement and the result has no unsafe control bytes. Otherwise the page shows a bounded hex preview and downloads the untouched bytes.

Frequently Asked Questions

Does Base64 protect secrets?

No. Base64 only maps bytes to printable ASCII characters. Use authenticated encryption for confidentiality and HTTPS for transport; do not publish a value merely because it looks unreadable.

How does the tool distinguish Base64 from Base64URL?

Standard Base64 uses + and / and commonly includes = padding. Base64URL uses - and _ and often omits padding. When decoding, Auto detect identifies alphabet-specific characters and reports when a payload contains only characters shared by both variants.

Can I decode Base64 without = padding?

The decoder accepts canonical padded or unpadded input, restores only the mathematically required padding, and rejects misplaced padding, impossible lengths, mixed alphabets, and non-zero trailing bits.

What happens when the decoded value is binary?

If the bytes are not valid readable UTF-8, the output area shows at most 256 bytes as a hex preview. Download keeps every decoded byte with the Data URI media type when one was supplied, or application/octet-stream otherwise.

Can the decoder read a Base64 data URI?

Yes, when the header ends in ;base64 and has a valid bounded media type. The tool separates the header, validates the payload, reports the declared media type, and uses it for the decoded download. Percent-encoded or non-Base64 data URIs must be handled separately.

What size and file limits apply?

Encoding accepts up to 1,048,576 UTF-8 bytes. Decoding accepts a canonical Base64 payload representing up to 1,048,576 bytes, with a small bounded allowance for ASCII whitespace and a Data URI header. The tool is text-oriented for encoding; arbitrary binary-file encoding belongs in a file workflow.

How This Tool Was Verified

Maintained and tested by Reviewed

Method: We replayed “Decode one Base64 API metadata field” in Base64 Encoder and Decoder, keeping the guide's input unchanged. “Choose or detect the alphabet” and “Format or inspect with the matching tool” defined the normal path; “Decoding the entire response” and “Treating replacement characters as original data” defined the boundary review before the output was accepted.

Expected result: The Base64 field decoded to the exact payment.succeeded JSON object, while malformed alphabet or padding input remained an explicit error instead of partial JSON.

Sources and standards

Open the tested workflow

Related workflow guides

Use these focused guides when you need a practical workflow before opening the tool.

Workflow guide

Decode a Base64 API payload without corrupting bytes

Use this repeatable workflow for encoded JSON fields, webhook metadata, headers, cookies, and logs. It validates the alphabet and padding before decoding, preserves binary bytes for download, and keeps Base64 separate from encryption or signature verification.

Workflow guide

Use repeating-key XOR for learning, not security

This workflow uses the Cipher Learning Workbench to make XOR byte mechanics visible. You will reproduce a known vector, switch between Hex and Base64, reverse it with the same key, and document why the exercise must never be presented as protection for real secrets.

Workflow guide

Choose and verify a binary-to-text encoding for data handoffs

Use this workflow when an API, database field, DNS label, email body, configuration file, or legacy transport asks for Base32, Base58, Base62, Base85, hexadecimal, entities, Punycode, quoted-printable, UTF-16, or UUEncode but does not fully describe the variant.

Workflow guide

Verify a file checksum with SHA-256

Use the local file mode and explicit checksum comparison to confirm byte equality before trusting a release archive, backup, or installer. A match does not certify the publisher or prove that the file is malware-free.

Workflow guide

Decode a JWT safely before debugging authentication

Use this workflow when a login, API request, or permission check fails and you need to inspect token claims before changing auth code.

Workflow guide

Check JWT expiration and not-before timestamps

Use this workflow to determine whether a request occurred before nbf, at or after exp, or inside the stated token window, while documenting clock-skew policy and removing the raw token from shared evidence.

Related Tools

Continue with another maintained workflow

Browse All Tools