Base64 Encode / Decode
Convert text to Base64 and back, with full Unicode (UTF-8) support.
Updated: June 26, 2026
What is Base64?
Base64 is an encoding scheme that represents binary data using only 64
printable ASCII characters (A–Z, a–z,
0–9, + and /, with = for
padding). It is not encryption — anyone can decode it — its purpose is to move
binary data safely through systems that were designed for text, such as email
headers, JSON payloads, data URLs and HTTP basic-auth headers.
How encoding works
Base64 takes three bytes (24 bits) of input and splits them into four groups
of six bits, mapping each group to one of the 64 characters. Because three
input bytes become four output characters, Base64 output is about 33% larger
than the original. When the input length isn't a multiple of three, one or
two = padding characters are appended so the output stays a
multiple of four.
UTF-8 matters
A common bug is encoding non-ASCII text (accented letters, emoji, CJK
characters) with the browser's raw btoa(), which throws on
characters above U+00FF. This tool encodes text as UTF-8 first, so
"Café 🎉" round-trips correctly. Always make sure both ends agree
on UTF-8 when exchanging Base64 strings.
When you'll reach for Base64
- Embedding a small image or font directly in CSS/HTML as a
data:URL. - Putting binary blobs (certificates, keys, attachments) inside JSON or XML.
- Building an HTTP
Authorization: Basicheader fromuser:password. - Decoding the header and payload of a JWT — which use the URL-safe Base64url variant.
Base64 vs Base64url
The standard alphabet uses + and /, which have
special meaning inside URLs. The URL-safe variant (Base64url) replaces them
with - and _ and usually drops the =
padding. JWTs and many web APIs use Base64url. If a string contains
- or _, it is almost certainly Base64url — decode it
with our JWT decoder if it's a token.
Is Base64 secure?
No. Base64 is fully reversible and provides zero confidentiality — treat an encoded secret as if it were written in plain text. If you need to protect data, hash it (for integrity) or encrypt it (for confidentiality). For integrity checks, see our hash generator and HMAC generator.
Frequently asked questions
Is Base64 encryption?
No. Base64 is an encoding, not encryption. It is fully reversible without any key, so it offers no security. Never use it to hide passwords or secrets.
Why is my Base64 output longer than the input?
Base64 represents every 3 bytes of input as 4 characters, so the output is roughly 33% larger than the original data. This overhead is the trade-off for being text-safe.
Why does plain btoa() fail on emoji or accented text?
The browser's btoa() only handles characters up to U+00FF. This tool encodes your text as UTF-8 first, so Unicode characters like emoji and accented letters encode and decode correctly.
What are the = signs at the end?
They are padding. Base64 output length must be a multiple of 4, so 1 or 2 '=' characters are added when the input length isn't a multiple of 3.
Developer toolkits & API platforms
If you regularly convert and inspect encoded payloads, a good API client or developer toolkit saves time:
- API client / request builder Inspect, encode and decode request bodies, auth headers and tokens while testing APIs.
- Secrets manager Store real secrets safely instead of pasting Base64-'encoded' values into config files where they offer no protection.
Related tools
- URL Encode / DecodePercent-encode text for safe use in URLs, or decode %xx sequences back.
- JWT Decoder & ValidatorDecode a JWT's header and payload, inspect its claims, and verify an HS256 signature.
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512)Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
- HMAC Generator (SHA-1, SHA-256, SHA-512)Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.