Base64 Encoder & Decoder Free Online
Free online Base64 encoder and decoder. Encode text to Base64 or decode Base64 strings back to plain text instantly.
Base64 encoding is one of the most commonly used encoding schemes in software development, data transfer, and web technologies. It converts binary data or text into a safe, portable ASCII string that can be transmitted through any medium that handles text - including email, JSON, XML, URLs, and HTML. This free Base64 encoder and decoder works entirely in your browser, converting text to Base64 or decoding Base64 back to readable text instantly without any server interaction.
How to Use the Base64 Encoder & Decoder
Enter the text or Base64 string
Type or paste your content into the input field. For encoding, paste the plain text or string you want to convert to Base64. For decoding, paste the Base64 string (typically a long string of letters, numbers, +, /, and = characters) that you want to convert back to readable text.
Click Encode or Decode
Click the Encode button to convert your plain text to Base64. Click the Decode button to convert a Base64 string back to its original text. The result appears instantly in the output panel. If you click Decode on invalid Base64, an error message will indicate that the input is not valid Base64.
Copy the result
Use the Copy button to copy the output to your clipboard. Use it in your application code, API request body, HTML attribute, configuration file, or wherever Base64 encoded data is required.
What Is Base64 Encoding and Why Is It Used?
Base64 is a binary-to-text encoding scheme that represents binary data using only 64 printable ASCII characters: the uppercase letters A-Z, lowercase letters a-z, digits 0-9, and the characters + and /. An = sign is used for padding when the input data length is not a multiple of 3 bytes. This character set is safe to use in virtually every text-based system and protocol.
The reason Base64 exists is that many systems were historically designed to handle only ASCII text, not arbitrary binary data. Email protocols (SMTP), for example, were originally text-only - attaching binary files like images or documents required encoding them as ASCII text first. HTML data URIs embed images directly in HTML as Base64 strings, eliminating a separate HTTP request for small images. HTTP Basic Authentication encodes credentials as Base64 before transmitting them in request headers. These are the most common everyday uses you will encounter.
Common Real-World Uses of Base64
Embedding images in CSS and HTML - instead of using a separate image file URL, you can embed an image directly in HTML or CSS as a Base64 data URI: <img src="data:image/png;base64,iVBOR...">. This eliminates an HTTP request for small icons and logos. The downside is that Base64 data is about 33% larger than the original binary file.
HTTP Basic Authentication - when you log into a website using HTTP Basic Auth, the browser encodes your username and password as Base64 (username:password β base64) and sends it in the Authorization header. This is not encryption - it is simply encoding - so HTTPS is always required for security.
Email attachments (MIME encoding) - email clients encode file attachments as Base64 when including them in email messages. The MIME standard defines how binary attachments are encoded as text so they can pass through email servers that only handle plain text.
API authentication tokens - many APIs use Base64-encoded tokens for authentication. JSON Web Tokens (JWTs) use Base64URL encoding (a URL-safe variant of Base64) to encode the header and payload sections.
Storing binary data in JSON or XML - JSON and XML are text formats that cannot directly contain binary data. When you need to include a binary file (like an image or PDF) in a JSON API response, Base64 encoding allows you to represent that binary data as a JSON string value.
Base64 vs Base64URL
Standard Base64 uses + and / as the 62nd and 63rd characters, and = for padding. These characters have special meanings in URLs - + means a space in query strings, / is a path separator, and = can cause issues in some contexts. Base64URL is a URL-safe variant that replaces + with - and / with _ and typically omits padding (the = signs). Base64URL is used in JSON Web Tokens (JWTs), OAuth tokens, and anywhere Base64 data needs to appear in a URL without additional encoding.
Security Considerations - Base64 Is Not Encryption
This is the most critical point to understand about Base64: encoding is not encryption. Base64 encoded data can be decoded by anyone without any key or secret - it provides zero security or confidentiality. Base64 is purely for data representation, not protection.
Common security mistakes:
Mistake 1: Using Base64 to "hide" passwords or API keys. Some developers mistakenly believe that Base64 encoding credentials makes them secure. It does not. Anyone who has the encoded string can decode it instantly without any key. HTTP Basic Authentication encodes credentials as Base64, which is why HTTPS is absolutely required - without TLS encryption, the credentials are trivially readable by anyone intercepting the request.
Mistake 2: Storing sensitive data in Base64 and assuming it is protected. Base64 is reversible by design. If you need to protect data at rest or in transit, use encryption algorithms like AES (symmetric) or RSA (asymmetric) with proper key management. Base64 is often used after encryption to represent the encrypted binary data as text, but the encryption is what provides security, not the Base64 encoding.
Mistake 3: Using Base64 to obfuscate URLs or tokens. Some systems encode IDs or tokens in Base64 as a weak form of obfuscation. This provides no real security - automated tools can detect and decode Base64 strings trivially. If an ID must be non-guessable, use a cryptographically random UUID or a signed token like a JWT.
When Base64 is appropriate for security contexts: Base64 is commonly used to encode encrypted data, hashes, digital signatures, and other cryptographic outputs so they can be transmitted as text. For example, HTTPS certificates are Base64-encoded (PEM format), encrypted messages are often Base64-encoded for email transmission, and cryptographic signatures are Base64-encoded before including them in JWTs. In all these cases, the security comes from the cryptography, and Base64 is just the transport encoding.
Real-World Integration Examples
Here are practical code examples showing how Base64 encoding is used in different programming languages and frameworks:
JavaScript/Node.js - Encoding and decoding:
// Browser
const encoded = btoa("Hello World"); // "SGVsbG8gV29ybGQ="
const decoded = atob(encoded); // "Hello World"
// Node.js (for UTF-8 text)
const encoded = Buffer.from("Hello World", "utf-8").toString("base64");
const decoded = Buffer.from(encoded, "base64").toString("utf-8");
Python - Encoding and decoding:
import base64
text = "Hello World"
encoded = base64.b64encode(text.encode("utf-8")) # b'SGVsbG8gV29ybGQ='
decoded = base64.b64decode(encoded).decode("utf-8") # "Hello World"
HTTP Basic Authentication header:
// Construct Authorization header
const username = "user@example.com";
const password = "mypassword";
const credentials = btoa(`${username}:${password}`);
const authHeader = `Basic ${credentials}`;
// "Basic dXNlckBleGFtcGxlLmNvbTpteXBhc3N3b3Jk"
Embedding an image in HTML as a data URI:
// Read file as Base64
const fileInput = document.querySelector('input[type="file"]');
const file = fileInput.files[0];
const reader = new FileReader();
reader.onload = (e) => {
const dataUri = e.target.result;
// data:image/png;base64,iVBORw0KGgoAAAA...
document.querySelector('img').src = dataUri;
};
reader.readAsDataURL(file);
Common Base64 Encoding Pitfalls and Solutions
Pitfall 1: UTF-8 encoding issues. When encoding non-ASCII text (international characters, emoji), you must first encode the text as UTF-8 bytes before Base64 encoding. In JavaScript, btoa() does not handle UTF-8 correctly - you must use encodeURIComponent() and unescape() to properly convert to UTF-8 first. In modern code, use TextEncoder instead.
// Correct way to Base64 encode UTF-8 text in browser
const text = "Hello δΈη π";
const utf8Bytes = new TextEncoder().encode(text);
const base64 = btoa(String.fromCharCode(...utf8Bytes));
Pitfall 2: Line breaks in encoded output. Some Base64 encoders insert line breaks every 64 or 76 characters for readability (PEM format, MIME encoding). When using Base64 in URLs, JSON, or HTTP headers, line breaks are invalid and must be removed. Always strip whitespace when decoding Base64 from external sources.
Pitfall 3: Confusing Base64 with Base64URL. Standard Base64 and Base64URL are incompatible. A JWT (which uses Base64URL) will fail to decode if you use a standard Base64 decoder. Similarly, including standard Base64 (with + and /) in a URL query parameter will corrupt the data because + is interpreted as a space. Use the correct variant for your context.
Pitfall 4: Missing or incorrect padding. Some Base64 implementations strip the = padding characters. When decoding, missing padding can cause errors. Most decoders tolerate missing padding and add it automatically, but if you encounter decoding errors, try appending = characters until the length is a multiple of 4.
Learn More About Base64
For more information about Base64 encoding and its technical specifications:
- RFC 4648 - Base64 Data Encoding - Official IETF specification defining Base64, Base32, and Base16 encoding schemes
- MDN Web Docs - Base64 - Comprehensive guide to Base64 encoding in web development with JavaScript examples