Free Base64 Encode / Decode
Convert text to Base64 encoding or decode Base64 strings back to readable text, fully compliant with RFC 4648 which defines the standard Base64 alphabet of 64 printable ASCII characters plus = padding. Commonly used by developers for Basic Authentication headers, data URIs, email MIME encoding, JWT payloads, and embedding binary data in JSON or XML. Supports full UTF-8 including emojis and international characters. All processing runs locally in your browser — no server, no signup, no data sent anywhere — making it safe for encoding sensitive values like API keys, tokens, and credentials.
Loading...
Need expert help with AI?
Looking for a specialist to help integrate, optimize, or consult on AI systems? Book a one-on-one technical consultation with an experienced AI consultant to get tailored advice.
What Is Base64 Encoding and When Do You Need It?
Base64 encoding converts binary data into a text representation using 64 printable ASCII characters (A-Z, a-z, 0-9, +, /), as defined in RFC 4648. This is essential when you need to transmit binary data over channels that only support text — such as JSON APIs, email (MIME), HTML data attributes, HTTP headers, or URL parameters. Every developer encounters Base64 regularly — from embedding images in CSS as data URIs, to encoding API credentials for HTTP Basic Authentication, to decoding JWT token payloads.
The encoding works by grouping every 3 bytes of input into 4 Base64 characters, with = padding added when the input length is not a multiple of 3. This results in approximately 33% size overhead compared to the raw binary data — a worthwhile tradeoff for safe text transport. By comparison, hexadecimal encoding doubles the size (100% overhead), making Base64 the preferred choice when compactness matters. This tool handles the encoding and decoding instantly in your browser using the built-in btoa() and atob() functions, with a UTF-8 wrapper for full Unicode support. No data leaves your device, making it safe to encode sensitive strings like API keys, tokens, and credentials.
Base64 in Practice: Common Use Cases for Developers
HTTP Basic Authentication is one of the most common uses of Base64 on the web. When a client authenticates with a username and password, it concatenates them with a colon separator (username:password), Base64-encodes the result, and sends it in the Authorization header as "Basic dXNlcm5hbWU6cGFzc3dvcmQ=". The Base64 encoding ensures that special characters in the credentials do not break the HTTP header format. Security comes from TLS, not from Base64 itself — the encoding is trivially reversible.
Data URIs allow you to embed small files directly in HTML or CSS using the format data:[mediatype];base64,[data]. This eliminates an extra HTTP request for small assets like icons, SVGs, or web fonts. JWT (JSON Web Tokens) use Base64url — a URL-safe variant that replaces + with -, / with _, and omits padding — to encode their header and payload as readable text segments. Kubernetes stores secret values as Base64, CI/CD pipelines use Base64 to pass multi-line secrets through environment variables, and email systems use Base64 via MIME to encode binary attachments for transmission over text-only SMTP.
Understanding when to use Base64 is just as important as knowing how. Base64 is not encryption and provides zero security on its own — it is purely a transport encoding that makes binary data safe for text contexts. Use it to move data through text-only channels, not to hide data from anyone. For security, always pair Base64-encoded sensitive data with proper encryption (AES, RSA) and transport-layer security (TLS/HTTPS).
Base64 vs Base64url: Understanding the Variants
RFC 4648 defines two Base64 alphabets. The standard alphabet (Section 4) uses A-Z, a-z, 0-9, +, and / with = padding. The URL-safe alphabet, known as Base64url (Section 5), replaces + with - and / with _ to avoid conflicts with URL reserved characters, and typically omits the = padding since it can be inferred. Base64url is referenced in RFC 7515 (JSON Web Signature) and is the encoding used in JWT headers and payloads, OAuth 2.0 PKCE code verifiers, and any context where encoded data appears in URLs or filenames.
This tool implements standard Base64 encoding and decoding, which covers the vast majority of developer use cases including Basic Auth headers, data URIs, MIME email, Kubernetes secrets, and general binary-to-text conversion. If you specifically need to decode Base64url-encoded strings from JWTs or OAuth tokens, the dedicated JWT Decoder tool on this site handles that variant automatically. For programmatic use, most languages offer both variants — for example, Python provides base64.b64encode() and base64.urlsafe_b64encode(), while Node.js Buffer supports both via toString("base64") and toString("base64url").
More Free Tools
How It Works
Choose Encode or Decode mode.
Paste or type your text, then click the button.
Copy the result or swap input/output to convert back.
Key Features
Privacy & Trust
Use Cases
Frequently Asked Questions
Is this Base64 tool completely free?
Yes, it is 100% free with no usage limits, no signup, and no rate limiting. Online Base64 tools often run on servers that log your input or inject ads. Because this tool runs entirely in your browser using the native btoa() and atob() functions, there are no server costs and no reason to restrict usage. You can encode and decode as many strings as you want, as often as you want.
Is my data sent to a server or stored anywhere?
No. All encoding and decoding happens entirely inside your browser using built-in JavaScript functions. Your text never leaves your device — not even temporarily. There are no API calls, no cloud processing, and no analytics on your content. This makes it safe for encoding sensitive values like API keys, database credentials, authentication tokens, or any string you would not want a third party to see. You can verify this by watching the Network tab in DevTools while encoding.
What is Base64 encoding?
Base64 is a binary-to-text encoding scheme defined in RFC 4648 that represents arbitrary binary data using a set of 64 printable ASCII characters: A-Z (26), a-z (26), 0-9 (10), + and / (2), with = used for padding. It was designed to safely transmit binary data over channels that only support text, such as email (MIME), JSON, XML, URLs, and HTTP headers. Every 3 bytes of input become 4 Base64 characters of output, which is why Base64-encoded data is always approximately 33% larger than the original. The encoding is deterministic and fully reversible — the same input always produces the same output, and decoding recovers the original data exactly.
Why does Base64 encoding make data 33% larger?
Base64 works by taking every 3 bytes (24 bits) of input and splitting them into 4 groups of 6 bits each. Each 6-bit group maps to one of 64 printable ASCII characters. So 3 bytes of raw data become 4 bytes of Base64 text — a 33% increase. If the input length is not a multiple of 3, the output is padded with one or two = characters to make it a multiple of 4. This overhead is the tradeoff for being able to represent any binary data as plain text. By comparison, hexadecimal encoding has a 100% overhead (each byte becomes two hex characters), making Base64 significantly more space-efficient.
What is the difference between Base64 and Base64url?
Standard Base64 (RFC 4648 Section 4) uses the characters + and / alongside the alphanumeric set, and pads output with =. These three characters are problematic in URLs because + is interpreted as a space, / is a path delimiter, and = is used for query parameters. Base64url (RFC 4648 Section 5, also referenced in RFC 7515 for JWS/JWT) solves this by replacing + with -, / with _, and omitting = padding entirely. JWTs, OAuth tokens, and URL-safe identifiers use Base64url. This tool uses standard Base64 — if you need to decode JWT payloads, use the dedicated JWT Decoder tool on this site.
Is Base64 encryption? Is it secure?
No — Base64 is encoding, not encryption. It provides zero security. Anyone can decode a Base64 string instantly without any key, password, or secret. Base64 simply changes the representation of data from binary to text; it does not obscure or protect the content in any way. Never use Base64 as a security measure. If you need to protect sensitive data, use proper encryption (AES-256, RSA) and transmit it over TLS. Base64 is useful for transport encoding — making binary data safe to include in text formats — but it is not a substitute for encryption.
Where is Base64 used in web development?
Base64 appears everywhere in web development. HTTP Basic Authentication encodes the username:password pair as Base64 in the Authorization header. Data URIs use Base64 to embed images, fonts, and SVGs directly in HTML or CSS without a separate HTTP request. Email systems use Base64 via MIME to encode binary attachments. JSON Web Tokens (JWTs) use Base64url to encode their header and payload segments. Kubernetes stores secrets as Base64-encoded values. CI/CD systems like GitHub Actions use Base64 to pass multi-line secrets through environment variables. Even the HTML Canvas API uses Base64 when you call toDataURL() to export an image.
Can I encode images or files to Base64 with this tool?
This tool is designed for text-to-Base64 encoding. It does not have a file upload feature that reads binary data. To convert an image to Base64, you would typically use a command-line tool like base64 on macOS/Linux (e.g., base64 -i image.png), a programming language (Python: base64.b64encode(), Node.js: Buffer.from(data).toString("base64")), or a dedicated file-to-Base64 converter. Once you have the Base64 string, you can paste it into this tool to decode it back and verify the round-trip.
What is a data URI and how does Base64 relate to it?
A data URI is a scheme defined in RFC 2397 that allows you to embed small files directly in HTML, CSS, or JavaScript as inline text instead of linking to an external URL. The format is data:[mediatype][;base64],<data>. For example, a tiny PNG image can be embedded as data:image/png;base64,iVBORw0KGgo... in an <img> tag or CSS background-image property. Base64 is the encoding that makes this possible — it converts the raw binary file into a text string that can live safely inside a text document. Data URIs are useful for small icons, fonts, and SVGs to reduce HTTP requests, but they increase document size by 33% due to Base64 overhead and are not cached separately by browsers.
What does the = padding at the end of a Base64 string mean?
The = character is padding used to make the Base64 output length a multiple of 4. Base64 processes input in groups of 3 bytes (24 bits), producing 4 characters of output. If the input length is not a multiple of 3, padding is added: one leftover byte produces two Base64 characters and ==, while two leftover bytes produce three Base64 characters and a single =. The padding tells the decoder exactly how many bytes were in the original input. Some implementations (notably Base64url and certain APIs) strip the padding since the decoder can infer the original length from the output length, but standard Base64 per RFC 4648 always includes it.
Does Base64 work with binary data?
Yes — Base64 was specifically designed to encode arbitrary binary data as text. It handles any byte value from 0x00 to 0xFF, which means it can represent images, audio, compressed archives, executables, or any other binary content. This tool focuses on text input, so it encodes your text string as UTF-8 bytes first, then applies Base64 encoding to those bytes. If you need to encode raw binary data (like a file), use a programming language or command-line tool that can read the binary input directly. The Base64 decoding direction in this tool will correctly output the original text from any valid Base64 string.
Is it safe to Base64 encode passwords or secrets?
Base64 encoding does not provide any security — it is trivially reversible by anyone. Never store passwords, API keys, or secrets as "just Base64" and consider them protected. That said, many systems use Base64 as a transport encoding for credentials that are protected by other layers. HTTP Basic Auth Base64-encodes the username:password pair, but security comes from TLS encrypting the connection, not from the Base64 encoding. Kubernetes secrets are Base64-encoded, but access control comes from RBAC policies. Always pair Base64-encoded sensitive data with proper encryption, TLS, and access controls.
What is HTTP Basic Authentication and why does it use Base64?
HTTP Basic Authentication is defined in RFC 7617 and is one of the simplest authentication schemes for web APIs. The client sends an Authorization header with the value "Basic" followed by the Base64-encoded string of username:password. For example, the credentials admin:secret123 become the header Authorization: Basic YWRtaW46c2VjcmV0MTIz. Base64 is used here not for security but to ensure the credentials — which might contain special characters like colons, spaces, or non-ASCII characters — are transmitted safely over HTTP, which only allows printable ASCII in headers. The actual security comes from sending this header over HTTPS (TLS), which encrypts the entire request in transit.
Does this tool support Unicode and emojis?
Yes. The browser's native btoa() function only handles Latin-1 characters (code points 0-255), which causes errors on multibyte characters like emojis or Chinese text. This tool wraps btoa() with a UTF-8 encoding step using TextEncoder and encodeURIComponent/decodeURIComponent, so it correctly handles the entire Unicode range — including emojis, CJK characters, Arabic, Cyrillic, mathematical symbols, and any other script. The round-trip is lossless: encoding and then decoding produces the exact original string, byte for byte.
What is the maximum string length I can encode or decode?
There is no hard limit imposed by this tool. The practical limit depends on your browser and available device memory. Modern browsers can handle strings of several hundred megabytes, but for very large inputs (10MB+), you may notice a brief delay during encoding or decoding. For typical developer use cases — encoding API keys, credentials, JSON payloads, or small data URIs — the tool handles them instantly. If you need to Base64-encode very large files, a command-line tool or streaming encoder in your programming language of choice will be more memory-efficient.
How does Base64 compare to hexadecimal (hex) encoding?
Both Base64 and hexadecimal are binary-to-text encoding schemes, but they differ in efficiency and use cases. Hex encoding represents each byte as two hexadecimal characters (0-9, a-f), resulting in a 100% size increase — double the original data. Base64 represents every 3 bytes as 4 characters, resulting in only a 33% size increase, making it roughly three times more space-efficient than hex. Hex is simpler and more human-readable — useful for debugging byte values, hash digests (SHA-256, MD5), and color codes. Base64 is preferred when size matters: email attachments, data URIs, authentication headers, and any context where you need compact text representation of binary data.
Limitations
- Does not support file-to-Base64 conversion (text only)
- Very large strings may be slow in older browsers
- Does not handle Base64url variant (use JWT Decoder for that)
Q&A SESSION
Got a quick technical question?
Skip the back-and-forth. Get a direct answer from an experienced engineer.
