Base64 Encoder / Decoder
Secure, client-side Base64 utility. Encode, decode, verify, and convert between text, images, and Base64 formats instantly.
Click or drag an image
Supports PNG, JPG, WEBP, etc.
Image output will appear here
Wait for input
Enter a string to check if it's a valid Base64 encoded data.
What is Base64?
Base64 is a binary-to-text encoding scheme that represents binary data using a set of 64 printable ASCII characters: A-Z, a-z, 0-9, +, and /, with = used for padding. It was standardised in RFC 4648 and is ubiquitous in web, email, and API infrastructure.
The name comes from the MIME content-transfer-encoding standard. "Base64" simply means the encoding uses a radix (base) of 64 - the smallest power of two that produces a set of printable characters large enough to be reliably transmitted over any legacy text channel.
How Base64 Encoding Works
The algorithm processes input bytes in groups of three (24 bits). Each group is split into four 6-bit values, and each 6-bit value maps to a character in the Base64 alphabet. Because 26 = 64, every possible 6-bit combination has exactly one character.
- Take 3 input bytes (24 bits total).
- Split into four 6-bit groups.
- Map each 6-bit group to its Base64 character using the alphabet table.
- If the input length is not a multiple of 3, pad the output with
=characters to make the total length a multiple of 4.
The result is always approximately 33% larger than the original - every 3 bytes becomes 4 characters. This size overhead is the primary trade-off when choosing Base64 over binary transfer.
Common Use Cases
Data URIs
Embed images, fonts, and other assets directly in HTML or CSS using data:image/png;base64,... URIs, eliminating extra HTTP requests for small assets.
Email Attachments (MIME)
SMTP was designed for 7-bit ASCII text. MIME encodes binary attachments (PDFs, images) as Base64 so they survive transit through mail servers that strip or corrupt high-bit bytes.
JSON Web Tokens (JWT)
JWTs use URL-safe Base64 (Base64url) to encode their header, payload, and signature as URL-friendly strings that can be passed in Authorization headers and query parameters without escaping.
Basic HTTP Authentication
The HTTP Basic Auth scheme encodes credentials as username:password in Base64 and sends them in the Authorization header. Always use HTTPS alongside it.
Cryptographic Keys & Certificates
PEM files (SSL/TLS certificates, RSA keys) are Base64-encoded DER binary wrapped between -----BEGIN...----- headers. This makes binary crypto data copy-pasteable.
Binary Data in JSON & XML
JSON and XML are text formats. When an API needs to transfer binary blobs (audio, images, encrypted payloads), Base64 is the standard way to safely embed them as a string field.
Standard vs. URL-Safe Base64
Standard Base64 uses + and / as the 62nd and 63rd characters. These have special meaning in URLs - + means space and / separates path segments - so standard Base64 must be percent-encoded when placed in a URL.
URL-safe Base64 (Base64url, defined in RFC 4648 §5) substitutes - for + and _ for /, and optionally omits the = padding. This produces strings safe for use in URLs, filenames, and HTTP headers without any percent-encoding. JWTs always use Base64url.
Base64 is Not Encryption
A common misconception is that Base64 provides security or confidentiality. It does not. Base64 is purely an encoding - a reversible, deterministic transformation with no secret key. Anyone can decode Base64 instantly with freely available tools.
If you need to protect sensitive data, use proper encryption (AES, ChaCha20) or hashing (SHA-256, bcrypt for passwords). Base64 is appropriate only for encoding - ensuring data survives transport through text-only channels - never for hiding it.
Padding and the = Character
Because Base64 processes input in 3-byte chunks, input lengths that are not multiples of 3 require padding. One leftover byte produces two Base64 characters followed by ==; two leftover bytes produce three characters followed by =.
Padding is mandatory in standard Base64 (RFC 4648 §3.2) but is optional and often omitted in Base64url contexts such as JWTs. Most decoders handle both padded and unpadded input correctly. Use the No Padding toggle above to strip = characters when your target system requires unpadded output.