Base64 Encoder & Decoder
Encode text to Base64 or decode it back — with a one-click toggle for URL-safe base64url and full UTF-8 support for emoji and non-English text. Free, instant, and entirely in your browser.
This tool runs entirely in your browser. Your text is encoded and decoded locally with the built-in btoa and atob functions over UTF-8 bytes — nothing is uploaded or stored.
Base64 output
output appears hereWhat Base64 is for — and what it is not for
Base64 solves one specific problem: moving arbitrary binary data through channels that only safely carry text. It maps every three bytes onto four printable ASCII characters drawn from a 64-symbol alphabet. That is why you see it in email attachments (MIME), in data URIs that inline a small image directly into HTML or CSS, in the header and payload of a JWT, and in countless API fields that need to carry bytes inside JSON.
It is not encryption. This bears repeating because it is the most common and most dangerous misunderstanding in the field. Base64 is fully reversible with no key — decoding takes microseconds. We have found credentials "protected" by Base64 in config files, in client-side code, and in logs, all of which is equivalent to storing them in plain text. If a value needs to stay secret, encrypt it properly and protect it in transit with TLS. Encoding and confidentiality are entirely different concerns.
Standard vs. URL-safe. Classic Base64 uses + and / and pads with =. Those characters get mangled in URLs and filenames, so base64url substitutes - and _ and drops the padding. This is the variant JSON Web Tokens use — which is exactly why our JWT decoder decodes base64url, not standard Base64. Flip the URL-safe toggle here to match whichever your system expects.
The UTF-8 detail that trips people up. The browser's native btoa only accepts single-byte (Latin-1) characters and throws the moment you hand it an emoji or an accented letter. This tool encodes your text to UTF-8 bytes first, so the entire Unicode range round-trips cleanly. If you have ever seen a "character out of range" error from btoa, this is the fix.
Sending binary data through APIs correctly — when to Base64-inline, when to use multipart uploads, when to hand back a signed URL — is a recurring design decision. Our Next.js and Stripe integration guide and our API development services cover the trade-offs in depth.
How to use it
Choose Encode or Decode. Type or paste your text on the left and the result updates live on the right. Tick URL-safe if you need base64url (for example, to match a JWT segment). The Swap button feeds the current output back as input and flips direction — handy for round-tripping. If you try to decode something that is not valid Base64, you will get a clear error instead of garbled output. Everything runs locally, so closing the tab clears it all.
FAQs
Is Base64 encryption?
No — and this is the single most important thing to understand. Base64 is an encoding, not encryption. It reversibly maps binary data onto 64 printable ASCII characters so that data can travel safely through text-only channels like email headers or JSON. Anyone can decode it instantly with no key. Never use Base64 to hide passwords, tokens, or secrets; it provides zero confidentiality. Use real encryption (and TLS in transit) when data must stay private.
What is the difference between Base64 and base64url?
Standard Base64 uses + and / as its last two characters and pads with = signs. Those characters have special meaning in URLs and filenames, so base64url swaps + for - and / for _, and usually drops the padding. It is the variant used inside JSON Web Tokens, in many JWT and OAuth flows, and anywhere a value rides in a URL path or query string. Toggle the URL-safe option in this tool to switch between the two.
Does it handle emoji and non-English text?
Yes. The tool encodes text as UTF-8 bytes before Base64-encoding, so emoji, accented characters, and non-Latin scripts round-trip correctly. This matters because the raw btoa function only handles single-byte characters and throws on anything outside Latin-1. By going through UTF-8 first, the full Unicode range is supported in both directions.
Why is my Base64 output longer than the input?
Base64 represents every 3 bytes of input as 4 ASCII characters, so encoded output is roughly 33% larger than the original. That overhead is the cost of being text-safe. It is why you embed small assets like icons as Base64 data URIs but stream large files as binary — inlining a multi-megabyte image as Base64 bloats your HTML and hurts load time.
Is my text sent to a server?
No. Encoding and decoding happen entirely in your browser using the native btoa and atob functions over UTF-8 bytes. Nothing is uploaded, logged, or stored, and the tool makes zero network requests. You can verify this in your browser's network tab. That makes it safe for values you would not want to paste into a remote service.
Related tools
Related engineering reading
All postsAdding AI Features to Your SaaS (2026)
Where AI helps, build-vs-API trade-offs, evals, guardrails, and shipping without torching margins.
Read postAPI Rate Limiting Strategies for 2026
Token bucket vs sliding window, per-key quotas, 429 semantics, and where to enforce limits.
Read postAPI Security Best Practices (2026)
Auth, rate limiting, input validation, secrets, and the OWASP API Top 10.
Read post
Encoding a secret is not securing it
If your application leans on Base64 anywhere it should be using real encryption, that is a finding waiting to happen. We design systems that handle credentials and sensitive data correctly, and we audit the ones you already run. Talk to us about a build or a security review.
Or reach us directly: (770) 652-1282 · beltz@quantlabusa.dev