To encode or decode Base64 online, open a browser-based Base64 Encoder/Decoder, paste your text into the input box, choose Encode or Decode, and copy the result. The whole thing runs in your browser, so nothing is uploaded to a server. Base64 turns arbitrary bytes into a safe ASCII string of letters, digits, +, /, and =, which is exactly why it shows up everywhere from data URIs to email attachments to JSON Web Tokens.
This guide explains what Base64 is, how the algorithm actually works (6-bit groups and padding), how to encode and decode both text and files, the URL-safe variant, when you should reach for it, and the single most important thing to remember: Base64 is not encryption.
What Is Base64?
Base64 is a binary-to-text encoding scheme. It takes raw bytes — which can include unprintable control characters, null bytes, or anything else — and represents them using only 64 printable ASCII characters that survive being copied, pasted, emailed, and stuffed into text-based formats.
The 64-character alphabet is:
| Range | Characters | Values |
|---|---|---|
| Uppercase | A–Z |
0–25 |
| Lowercase | a–z |
26–51 |
| Digits | 0–9 |
52–61 |
| Symbols | + and / |
62 and 63 |
| Padding | = |
(not a value) |
Because there are exactly 64 symbols, each one represents 6 bits of data (2⁶ = 64). That 6-bit unit is the heart of how the algorithm works.
How Base64 Encoding Works (6-Bit Groups and Padding)
Computers store data in 8-bit bytes. Base64 regroups those bits into 6-bit chunks so each chunk maps to one character in the alphabet. The least common multiple of 8 and 6 is 24, so Base64 processes the input 3 bytes at a time (24 bits) and produces 4 characters (4 × 6 = 24 bits).
Let’s encode the word Man step by step.
Step 1 — Convert each character to its byte value (ASCII):
M = 77 = 01001101
a = 97 = 01100001
n = 110 = 01101110
Step 2 — Concatenate the bits into one 24-bit block:
01001101 01100001 01101110
Step 3 — Regroup into four 6-bit chunks:
010011 010110 000101 101110
Step 4 — Convert each 6-bit value to decimal, then to its alphabet character:
010011 = 19 = T
010110 = 22 = W
000101 = 5 = F
101110 = 46 = u
So Man encodes to TWFu. Three input bytes became four output characters — that’s the consistent 4:3 size ratio, which means Base64 output is always about 33% larger than the input.
Where Padding Comes In
What happens when the input length isn’t a clean multiple of 3? That’s where the = padding characters appear. Take the single letter M:
M = 01001101 (only 8 bits)
Regroup into 6-bit chunks and pad the last chunk with zeros:
010011 010000 (8 bits + 4 zero bits)
010011 = 19 = T
010000 = 16 = Q
We have 2 characters (TQ), but a Base64 group is always 4 characters wide, so we fill the rest with =:
M -> TQ==
Ma -> TWE=
Man -> TWFu
| Input bytes | Output | Padding |
|---|---|---|
| 1 byte | 2 chars + == |
two equals signs |
| 2 bytes | 3 chars + = |
one equals sign |
| 3 bytes | 4 chars | no padding |
This is why valid Base64 length is always a multiple of 4, and why you’ll see strings ending in = or == but never ===.
How to Encode and Decode Base64 Online (Step by Step)
The fastest, safest way to do this is a client-side tool. Open the Base64 Encoder/Decoder — it runs entirely in your browser, so the data you paste never leaves your machine.
To Encode Text
- Open the Base64 Encoder/Decoder.
- Select Encode mode.
- Paste or type your plain text into the input box (for example,
Hello, World!). - The encoded result appears instantly:
SGVsbG8sIFdvcmxkIQ==. - Click Copy to grab the output.
To Decode Base64
- Open the same tool and switch to Decode mode.
- Paste the Base64 string (for example,
SGVsbG8sIFdvcmxkIQ==). - The original text appears:
Hello, World!. - Copy the decoded result.
Because everything happens locally, you can safely paste internal config snippets or debug data without worrying about it being logged on a remote server.
Encoding and Decoding from the Command Line
If you prefer the terminal, every major OS ships with a base64 utility:
# Encode a string (macOS / Linux)
echo -n "Hello, World!" | base64
# -> SGVsbG8sIFdvcmxkIQ==
# Decode it back
echo "SGVsbG8sIFdvcmxkIQ==" | base64 --decode
# -> Hello, World!
# Encode a file (e.g., an image)
base64 logo.png > logo.b64
# Decode a file back to binary
base64 --decode logo.b64 > logo_restored.png
The -n flag on echo matters: without it, echo appends a trailing newline that becomes part of the encoded bytes and changes the output.
In JavaScript, the browser built-ins are btoa() (encode) and atob() (decode), though they only handle Latin-1 directly — for full Unicode you must encode to UTF-8 bytes first:
// Unicode-safe encode in the browser
btoa(String.fromCharCode(...new TextEncoder().encode("café")));
// -> "Y2Fmw6k="
URL-Safe Base64
Standard Base64 uses + and /, but both characters have special meaning in URLs (+ can mean a space, / is a path separator) and / is illegal in filenames. The URL-safe variant (defined in RFC 4648) solves this by swapping two characters:
| Character | Standard Base64 | URL-safe Base64 |
|---|---|---|
| Value 62 | + |
- |
| Value 63 | / |
_ |
| Padding | = (kept) |
often omitted |
So a standard string like a+b/c== becomes a-b_c in URL-safe form. This is the encoding used inside JSON Web Tokens — each of the three dot-separated segments is URL-safe Base64 with the padding stripped, which is exactly why you can decode a JWT with any Base64 tool once you re-add the padding.
When Should You Use Base64?
Base64 is the right tool whenever you need to move binary data through a channel that only reliably handles text. Common cases:
- Data URIs — Embed a small image or font directly in HTML/CSS so it loads with no extra HTTP request:
<img src="data:image/png;base64,iVBORw0KGgo...">. Our image-to-Base64 tool is handy for generating these. (Use it only for small assets — remember the 33% size increase.) - Email attachments — The MIME standard uses Base64 to send images and documents over SMTP, a text-based protocol.
- JWTs and tokens — The header and payload of a JSON Web Token are URL-safe Base64-encoded JSON.
- Embedding binary in JSON or XML — JSON has no native binary type, so byte data (small files, hashes, keys) is commonly carried as a Base64 string. If you work with that data a lot, a JSON formatter pairs well with a Base64 tool.
- Basic HTTP auth — The
Authorization: Basicheader isusername:passwordBase64-encoded (which, as we’ll see, is not security).
Why Base64 Is NOT Encryption
This is the most important takeaway in the whole guide. Base64 provides zero confidentiality. There is no key, no secret, and no algorithm to break — decoding is a deterministic, public, reversible operation that anyone can perform in one second with the same tool you used to encode.
If you Base64-encode a password and store it, you have stored the password in plain sight. The HTTP Basic auth header Authorization: Basic dXNlcjpwYXNzd29yZA== decodes trivially to user:password, which is exactly why Basic auth must only ever run over HTTPS.
| Base64 (encoding) | Encryption | |
|---|---|---|
| Needs a key? | No | Yes |
| Reversible by anyone? | Yes, instantly | No, only with the key |
| Hides data? | No | Yes |
| Purpose | Safe transport of bytes as text | Confidentiality |
If your goal is to protect a secret, you need real cryptography (AES, for example) — and if you need credentials that humans can’t reverse, you want a strong, randomly generated password plus proper hashing, never Base64.
Common Mistakes and Pitfalls
- Treating Base64 as security. Covered above, but it bears repeating: encoding is not hiding.
- Forgetting the trailing newline.
echo "text"adds a\nthat gets encoded. Useecho -norprintfto avoid a surprise extra character at the end of your bytes. - Mixing up standard and URL-safe alphabets. Decoding URL-safe Base64 with a strict standard decoder fails on
-and_. Convert-→+and_→/first, or use a tool that auto-detects both. - Missing or wrong padding. Some systems strip
=padding. If a decoder errors out, re-add=characters until the string length is a multiple of 4. - Unicode corruption with
btoa(). The browser’sbtoa()throws on characters outside Latin-1. Always go text → UTF-8 bytes → Base64 for non-ASCII content. - Using Base64 for large files in JSON or data URIs. The 33% bloat plus the decode cost adds up fast. For big assets, link to the file instead of embedding it.
Quick Reference
| Task | Command / Method |
|---|---|
| Encode text (online) | Paste into the Base64 Encoder/Decoder, Encode mode |
| Decode text (online) | Paste into the tool, Decode mode |
| Encode (CLI) | echo -n "text" | base64 |
| Decode (CLI) | echo "b64" | base64 --decode |
| Encode (JS) | btoa(unescape(encodeURIComponent(str))) |
| Decode (JS) | decodeURIComponent(escape(atob(str))) |
| URL-safe swap | +→-, /→_, drop = |
Try It Now
Skip the manual bit-shuffling. The free, in-browser Base64 Encoder/Decoder handles encoding, decoding, and copy-to-clipboard in one place — paste your input, pick a mode, copy the output. Nothing is uploaded; everything runs locally in your browser.
Frequently Asked Questions
Is Base64 the same as encryption?
No. Base64 is a reversible encoding, not encryption. Anyone can decode it instantly with no key, so never use it to hide passwords or secrets.
Why does Base64 output sometimes end in one or two equals signs?
The = characters are padding. They fill out the final group when the input length isn’t a multiple of 3 bytes, so the encoded length is always a multiple of 4.
What is URL-safe Base64?
URL-safe Base64 replaces the + and / characters with - and _ so the string can be used in URLs and filenames without escaping. JWTs use this variant.
Related Guides
- How to Decode a JWT Token — JWTs are built from URL-safe Base64 segments.
- How to Format JSON Online — clean up the JSON you often find Base64-encoded inside.
- How to Generate a Strong Password — for real secrets, never rely on encoding.