Base64 Encoder / Decoder (UTF-8 and URL-safe)
Type any text or paste a Base64 string to convert in either direction. Handles UTF-8 (including emoji and CJK) and supports the URL-safe variant used in JWT and OAuth.
How it works
What Base64 is and isn't
Base64 encodes arbitrary bytes using a 64-character alphabet (A-Z, a-z, 0-9, +, /, with = padding). It's the standard way to embed binary data — image bytes, encrypted blobs, signed tokens — into text-only formats like JSON, HTML, or email headers. Output is about 33% larger than the input.
Base64 is encoding, not encryption. Anyone can decode a Base64 string back to its original bytes. Don't use it to hide secrets — use a real encryption algorithm if you need confidentiality.
URL-safe vs standard
Standard Base64 includes '+' and '/', which have special meanings in URLs and need to be percent-encoded. URL-safe Base64 (RFC 4648 §5) replaces '+' with '-', '/' with '_', and drops the trailing '=' padding. JWTs, OAuth tokens, and many web APIs use the URL-safe form.
If decoding a JWT or token by hand, toggle URL-safe ON. If working with classic email or PDF embedded data, leave it off. The decoder accepts both forms when URL-safe is on, since the standard alphabet is a superset minus the special pair.
UTF-8 handling
Old browser btoa() can only handle ASCII. This tool uses TextEncoder to convert your input to UTF-8 bytes first, then Base64-encodes those bytes. That means emoji, CJK characters, accented Latin, and any other Unicode all encode and round-trip correctly. The bytes-then-base64 approach is the same one used by JWT libraries and most modern frameworks.
Frequently asked questions
›Is Base64 encryption?
No. It's a way to encode binary as ASCII text. Anyone can decode it. Use real encryption (AES, RSA, etc.) for secrecy.
›Why is URL-safe different?
Standard Base64 uses '+' and '/' which have special meaning in URLs and need percent-encoding. URL-safe Base64 substitutes '-' and '_' to avoid that.
›Can I decode the JWT signature?
Decoding the signature gives you the raw bytes of the signature, but those are intended for verification, not human reading. Decode the JWT's header and payload (the first two segments) to see the data.
›Does this work for binary files?
Not directly — paste text only. For files, use a binary-aware tool. (Most browsers have a built-in atob/btoa pair you can use in DevTools for small files.)
›Why is my decoded text garbled?
Either the input wasn't valid Base64, or it encoded non-UTF-8 bytes (e.g., a Latin-1 file). Verify the original encoding. Tools that decode 'as text' assume UTF-8.
›Is the data sent anywhere?
No. Encoding and decoding run entirely in your browser.
›What's the size overhead?
About 33% larger than the source bytes (every 3 input bytes become 4 output characters). URL-safe without padding is the same overhead.
›Why does padding matter?
Standard Base64 pads the end with '=' so the length is a multiple of 4. URL-safe versions often skip this since it's not needed for decoding.
Related tools
Last updated: