Skip to content
Scratchpad
Your text never leaves your browser

Base64 Encode/Decode

Encode it. Decode it. Forget what Base64 is for. Repeat.

Input
Output

What this does

DEVS: TextEncoder → btoa() for encode. atob() → TextDecoder for decode. Handles UTF-8.

Paste plain text, get Base64. Paste Base64, get plain text back. The tool auto-detects which direction you probably want, but you can force it either way. It handles UTF-8 properly, so emojis, accented characters, and CJK text won't turn into garbage on the other end.

Base64 is a binary-to-text encoding. It takes any sequence of bytes and represents it using 64 safe ASCII characters (A-Z, a-z, 0-9, +, /). Every 3 bytes of input become 4 characters of output, which means Base64-encoded data is about 33% larger than the original. That's the tradeoff: you get text that's safe to embed anywhere, but it costs you some size.

It shows up in more places than people realize. Data URIs in CSS and HTML (those data:image/png;base64,... strings). Email attachments under the hood, because MIME encoding is Base64. HTTP Basic auth headers, where your username and password get Base64-encoded (which is encoding, not encryption, a distinction that matters). JWT tokens are Base64url-encoded in each of their three segments. And plenty of APIs return binary data as Base64 strings in JSON responses because JSON has no native binary type.

The UTF-8 handling is worth mentioning because it's where most Base64 tools quietly break. The browser's built-in btoa() function only handles Latin-1 characters. Throw an emoji or a Chinese character at it and it throws an error. This tool runs the text through TextEncoder first to get proper UTF-8 bytes, then encodes those. On decode, it reverses the process with TextDecoder. So yes, you can round-trip 🍕 without losing anything.

You might also run into Base64url, a variant that replaces + with - and / with _, and drops the = padding. It exists because regular Base64 characters conflict with URL syntax. JWTs use this variant. If you're decoding a JWT segment and the output looks wrong, check whether it's Base64url and swap the characters accordingly.

Runs entirely in your browser. No server, no logs, no upload. Your API tokens, auth headers, and mysterious encoded config values stay on your machine. Paste, click, copy. Paste something else.