Base64 Encoder & Decoder
Encode text to Base64 or decode Base64 to text. 100% client-side processing.
No data sent to serverRelated Tools
What is Base64 Encoding?
Base64 is a binary-to-text encoding scheme that represents binary data using a set of 64 printable ASCII characters (A-Z, a-z, 0-9, +, /) plus = for padding. An early form was used in RFC 989 (1987, PEM); its MIME-context definition came with RFC 1341 (1992). The current standard is RFC 4648 §4 (2006). The encoding converts every 3 bytes (24 bits) of input into 4 ASCII characters (4 × 6 bits), making the output approximately 33% larger than the original data.
How the encoding works
The input is split into 3-byte groups. Each 3-byte group becomes one 24-bit value, which is then split into four 6-bit groups. Each 6-bit group (a number 0–63) becomes one character from the Base64 alphabet. When the input length is not a multiple of 3, the last group is padded with = characters: 1 byte of input → XX==, 2 bytes → XXX=.
Standard Base64 vs Base64URL
Two characters in standard Base64 cause problems in URLs: + (interpreted as space) and / (path separator). Base64URL (RFC 4648 §5) replaces + with -, / with _, and typically omits = padding. JWTs and OAuth use Base64URL specifically so tokens can appear in URL query parameters and HTTP headers without further encoding.
When NOT to use Base64
Base64 is not encryption — it provides zero confidentiality. Avoid it for storing passwords, tokens, or any sensitive data. It also adds 33% size overhead, so don't use it when binary transport is available (HTTP/2 binary frames, gRPC/Protobuf, file uploads). Hex (Base16) is more readable for debugging at the cost of 100% overhead.
How to Use
- Select Encode mode for plain text → Base64, or Decode for Base64 → plain text.
- Paste your text or Base64 string in the Input field. Unicode characters (Korean, emoji, etc.) are handled correctly via UTF-8 encoding.
- Click Encode to Base64 or Decode from Base64, or press
Ctrl+Enter(Cmd+Enteron macOS). - Click Copy to copy the result to clipboard, or Swap to reverse direction.
Privacy
All encoding and decoding runs entirely in your browser using the native btoa and atob APIs (with UTF-8 polyfill for Unicode). No data is sent to any server — safe for sensitive payloads up to 5 MB.
Real-world Examples
1. HTTP Basic Auth
The Authorization header in HTTP Basic authentication encodes username:password as Base64:
Authorization: Basic dXNlcjpwYXNz # decoded: user:pass
⚠️ Always use HTTPS — Base64 is not encryption.
2. Data URLs (inline images)
Embed small images directly in HTML/CSS without separate HTTP requests:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAQAAAC1HAwCAAAAC0lEQVR42mNkYAAAAAYAAjCB0C8AAAAASUVORK5CYII=" />
Best for icons under 2 KB; larger images should use separate files for browser caching.
3. JWT tokens (Base64URL)
JSON Web Tokens consist of three Base64URL-encoded parts joined by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.SflKxw... # header.payload.signature
4. MIME email attachments
Email is fundamentally 7-bit ASCII. Binary attachments (images, PDFs, executables) are Base64-encoded in the message body using Content-Transfer-Encoding: base64. This is why email attachments are roughly 33% larger than the original file.
5. Storing binary in JSON
JSON has no native binary type. APIs that send binary blobs in JSON responses (image thumbnails, file contents, signed payloads) Base64-encode them as string fields. AWS Lambda, S3 presigned posts, and most webhook payloads follow this pattern.
Common Pitfalls
1. Base64 ≠ encryption
The single most common mistake. Base64 is reversible without a key — anyone can decode it. Never use it to "hide" passwords, API keys, tokens, or PII. Use proper encryption (AES-GCM) or hashing (Argon2, bcrypt) instead.
2. URL-unsafe characters
Standard Base64 includes + and / — both have special meaning in URLs. If your encoded string will appear in a URL, query parameter, or filename, use Base64URL instead (replaces + → -, / → _).
3. Browser btoa() breaks on Unicode
JavaScript's native btoa() only accepts Latin-1 characters. Calling btoa("한글") throws an error. Always UTF-8 encode first: btoa(unescape(encodeURIComponent(str))). This tool handles UTF-8 automatically.
4. Padding required for some decoders
Standard Base64 requires = padding to make the length a multiple of 4. Some Base64URL implementations omit padding; some decoders require it. If decoding fails on otherwise-valid input, try adding = characters until length is divisible by 4.
5. 33% size overhead
Base64 inflates payload size. For large files (videos, archives, model weights), prefer multipart upload, signed URL direct upload to S3, or HTTP/2 binary frames. Base64 is best reserved for small inline payloads (under ~10 KB).
FAQ
Is Base64 encryption?
No. Base64 is an encoding scheme, not encryption. Anyone can decode a Base64 string without a key. It should never be used to protect sensitive data — use AES-GCM, ChaCha20, or hashing (Argon2, bcrypt) instead.
Why does Base64 add 33% to file size?
Base64 represents 3 bytes (24 bits) of binary data using 4 ASCII characters (4 × 8 = 32 bits, but only 4 × 6 = 24 bits of information). The 4-character output for every 3-byte input gives a 4/3 ratio — roughly 33% larger.
Does this tool handle Unicode (Korean, emoji)?
Yes. Input is UTF-8 encoded before Base64 conversion, so any Unicode character is preserved correctly on round-trip. Try encoding "한글 🎉" to see the result.
What's the difference between Base64 and Base64URL?
Base64URL replaces + with - and / with _, and often omits the = padding. It's safe to use in URLs, filenames, and HTTP headers. Standard Base64 is for general use (MIME, JSON values, data URLs).
Can I decode any Base64 string?
Only if it's valid (length is a multiple of 4 with correct padding, characters all from the alphabet). Invalid input returns an error. If the source uses Base64URL, you may need to add back = padding before decoding with this tool.
Is the input size limited?
Up to 5 MB per input field — running entirely in your browser. For larger files, use server-side tools like the base64 Unix command or language libraries.
⚠️ Reference Only
Output is generated based on your input and is provided for reference. Results may vary depending on your specific use case, edge cases, or environment-specific behavior. We do not guarantee accuracy of conversions, validations, or computed values.
Always verify critical outputs against official documentation or production environments. We are not responsible for any decisions or losses based on these tool results.
📖 Related Guides
JWT Anatomy — Header, Payload, Signature
Understand JWT structure, claims, and signing algorithms. Security best practices.
URL Encoding — When to Use What
encodeURI vs encodeURIComponent vs escape. Query strings, paths, and reserved characters.
Hash Algorithms — MD5, SHA-1, SHA-256, bcrypt
When to use each hash function. Security comparison and password storage best practices.