Encoding runs in your browser — no text or files are sent to any server.
Skip to Base64 encoderBase64 works by grouping input bytes into 3-byte (24-bit) chunks and encoding each chunk as 4 printable ASCII characters chosen from a 64-character alphabet: A–Z, a–z, 0–9, +, and /. Because the output is pure ASCII, it survives transmission through email servers, HTTP headers, URLs, JSON strings, and XML documents — all of which may corrupt or reject raw binary data.
Base64 is encoding, not encryption. It provides zero confidentiality — anyone can decode it in seconds. Its sole purpose is format compatibility: making binary data safe to store or transmit in text contexts. The cost is a 33% size increase, because 3 binary bytes expand to 4 text characters.
Common real-world scenarios where this tool saves time.
Encode API credentials (username:password) to Base64 for Basic Auth HTTP headers. Required by many REST APIs, developer portals, and legacy authentication systems as the standard credential transport format.
MIME encoding uses Base64 to embed binary files — images, PDFs, audio — as text blocks inside email messages. This allows binary files to pass through email protocols that only support printable ASCII characters.
Convert small images, fonts, or SVGs to Base64 data URIs (src='data:image/png;base64,...') to embed them directly in HTML or CSS without separate HTTP requests — reduces round trips for small critical assets.
JWT header and payload sections are Base64URL-encoded JSON. Decode either section during debugging to inspect claims (expiry, user ID, scopes, issuer) without needing a JWT library or auth server access.
Input
Username: apiuser · Password: s3cr3t!Output
Base64('apiuser:s3cr3t!') = YXBpdXNlcjpzM2NyM3Qh → Authorization: Basic YXBpdXNlcjpzM2NyM3QhHTTP Basic Auth combines credentials as 'username:password', encodes to Base64, and sends the result as an Authorization header. This illustrates why Basic Auth is not secure without HTTPS — the credentials are trivially decoded by anyone who intercepts the header.
Input
JWT payload segment: eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQOutput
{"sub":"1234567890","name":"John Doe","iat":1516239022}JWT tokens consist of three Base64URL-encoded sections separated by dots (header.payload.signature). Decode the middle section to inspect claims — user ID, issued-at time, expiry, roles — without needing a library. Decoding reveals the content but does not verify the signature.
Input
Small PNG icon binary data (e.g. a 1×1 red pixel)Output
src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mP8z8BQDwADhQGAWjR9awAAAABJRU5ErkJggg=="Encode small images to Base64 and embed them directly as data URIs in HTML or CSS — eliminating an HTTP request. Keep this technique to images under 10 KB; larger files cause more harm than good by bloating the HTML document.
Step-by-step chains that connect related tools for common tasks.
Different Base64 standards use different character sets for characters 62 and 63.
| Variant | Char 62 | Char 63 | Padding | Defined In | Common Use |
|---|---|---|---|---|---|
| Standard Base64 | + | / | = (required) | RFC 4648 §4 | MIME email, HTTP headers, general encoding |
| URL-safe Base64 | - | _ | = (optional) | RFC 4648 §5 | JWT tokens, URL parameters, filenames |
| Base64 for IMAP (Modified UTF-7) | + | , | None | RFC 3501 | IMAP mailbox names |
| bcrypt Base64 | . | / | None | bcrypt spec | bcrypt password hashes only |
Standard Base64 + and / characters must be percent-encoded in URLs, causing double-encoding bugs. Always use URL-safe Base64 (RFC 4648 §5) for JWT tokens, OAuth codes, API keys embedded in URLs, and cookie values.
MIME-encoded Base64 (email attachments) inserts line breaks every 76 characters per RFC 2045. Browser atob() rejects whitespace. Strip newlines, carriage returns, and spaces before decoding any multi-line Base64 input.
Base64 is fully reversible — encoded passwords are as insecure as plaintext. Hash passwords with bcrypt, Argon2, or scrypt instead. The only legitimate use of Base64 with passwords is in HTTP Basic Auth headers, where HTTPS provides transport security.
Base64 adds 33% overhead. For large files, applying gzip or deflate compression before Base64 encoding can result in smaller output than raw Base64 of the original.
A valid Base64 string length is always a multiple of 4. If decoding data from an external source, verify ceil(outputBytes / 3) * 4 == encodedLength (ignoring padding) before attempting decode to catch truncated or corrupted inputs.
Base64 provides zero security. Anyone who sees a Base64 string can decode it instantly. Use HTTPS for transport security and proper encryption (AES-256) for data at rest. Never store passwords or secrets as Base64 — use hashing (bcrypt, Argon2) instead.
Standard Base64 uses '+' and '/' which have special meaning in URLs and must be percent-encoded (%2B, %2F). Use URL-safe Base64 (replaces + with - and / with _) for tokens, query parameters, and JWT signatures.
Base64 output is always 33% larger than input — it is an encoding, not a compression algorithm. If size matters, compress the data first (gzip, deflate) then Base64-encode the compressed result.
Base64 is reversible encoding with no key—anyone who intercepts the string can decode it instantly. Use Hash Generator for one-way digests (SHA-256, bcrypt) or real encryption (AES-GCM) for confidentiality. Never treat Base64 as security.
Percent-encoding (%20, %26) is for URL components—not arbitrary binary. Use URL Encoder/Decoder for encodeURIComponent/encodeURI work. Use this tool when you need binary-to-text (attachments, auth headers, data URIs).
This page shows text output and a raw file download. For live image preview, zoom, checkerboard background, and format badges, use Base64 to Image instead.
Image to Base64 is built for copy-ready data URLs, dimension stats, and framework snippets. This tool targets encode/decode debugging, JWT segments, and Basic Auth strings.
Decoding one Base64URL segment is fine for quick checks, but JWT Decoder parses all three dot-separated parts, converts exp/iat timestamps, and flags expired tokens—paste the full token there.
Hashing cannot be reversed; Base64 can. Use Hash Generator when you need SHA-256, SHA-512, or MD5 verification—not Base64 encode.
Data URIs add ~33% overhead and block HTML parsing. Host assets on a CDN or static file server; reserve inline Base64 for tiny icons and critical sprites under roughly 10 KB.
Hex (Base16) shows each byte as two characters and is easier to scan for magic numbers and offsets. Use Text to Hex when you want a readable byte map instead of compact Base64.
Fix:
Fix:
Fix:
Fix:
Fix:
Base64 is defined in RFC 4648. The encoder reads input 3 bytes at a time (24 bits), splits those 24 bits into four 6-bit groups, and maps each 6-bit value to a character in the Base64 alphabet (A=0, B=1, … Z=25, a=26, … z=51, 0=52, … 9=61, +=62, /=63). When input length is not a multiple of 3, the final group is padded with zero bits and '=' padding characters are appended to produce a 4-character-aligned output. URL-safe Base64 (RFC 4648 §5) substitutes '+' with '-' and '/' with '_' to produce output safe for URL path segments and query parameters without percent-encoding.
Select 'Encode' to convert plain text or binary data to Base64, or 'Decode' to convert a Base64 string back to its original content.
Enter the text string or Base64-encoded value in the input field. Results update instantly — no button click needed for most inputs.
Enable URL-safe Base64 to replace + with - and / with _ — required when embedding Base64 in URLs, query parameters, or JWT tokens where standard characters cause parsing errors.
Click 'Copy' to send the result to your clipboard. All processing runs entirely in your browser — no data is transmitted to any server.
Advertisement
No. Base64 is encoding, not encryption. It converts binary data to printable ASCII text for safe transmission through text-only protocols. Anyone can decode it instantly — it provides no security or confidentiality. For security, use HTTPS for transmission and AES-256 encryption for data at rest.
Standard Base64 uses A–Z, a–z, 0–9, +, and /. URL-safe Base64 (Base64URL) replaces + with - and / with _ to avoid characters that have special meaning in URLs and HTTP headers. JWTs use Base64URL for their header and payload sections. Use URL-safe Base64 whenever embedding the output in a URL, cookie, or JWT.
Base64 processes input in 3-byte groups. When input length is not a multiple of 3, the final group is padded to produce a complete 4-character block. One = means one padding byte was added; == means two were added. The total output length is always a multiple of 4 characters.
Yes. Base64 encodes any binary data — images, PDFs, audio, executables. The output is always ASCII text regardless of input type. Binary content produces valid Base64 but the decoded output must be handled as binary (saved as a file), not displayed as text in a text area.
The encoded input is likely a binary file (image, PDF, zip archive) rather than text. Base64 encodes any binary data, but displaying binary bytes as text produces unreadable characters. Download the decoded output as a file rather than reading it as text.
Base64 output is always approximately 33% larger than the input. Every 3 bytes of input produces 4 Base64 characters. Including line breaks (MIME format adds one every 76 characters), the overhead rises slightly to about 37%. If file size matters, compress the data first.
Use the FileReader API: reader.readAsDataURL(file) gives a data URI with Base64 content after the comma. For just the Base64 string without the data: prefix, use FileReader.readAsArrayBuffer() then convert the array buffer to Base64 manually, or use a library like js-base64.
A data URI embeds file content directly in an HTML src or CSS url() attribute: data:image/png;base64,iVBOR.... The browser decodes and displays it without a separate HTTP request. Best used for small files (under 10 KB) — larger files increase HTML size and block rendering.
Use the base64 module: import base64; decoded = base64.b64decode('SGVsbG8=').decode('utf-8'). For URL-safe Base64, use base64.urlsafe_b64decode(). Always call .decode('utf-8') after b64decode to get a string from bytes. If the input has missing padding, add = characters: base64.b64decode(s + '==') safely handles most cases.
Use atob() for standard Base64: const text = atob('SGVsbG8='); // 'Hello'. For URL-safe Base64 (used in JWTs), replace - with + and _ with / first: atob(base64url.replace(/-/g, '+').replace(/_/g, '/')). For binary data or files, use Uint8Array from atob() output or the browser FileReader API.
JWT (JSON Web Token) uses Base64URL encoding (a URL-safe variant) to encode the header and payload sections. The format is header.payload.signature — each dot-separated part is independently Base64URL-encoded. The payload contains JSON claims (sub, exp, iat, etc.). Decoding the middle section gives you readable JSON without needing the signing secret. Paste a JWT into the JWT Decoder to inspect claims directly.
Yes. Drop your image into this tool and get the full data URI string: data:image/jpeg;base64,/9j/4AA.... Copy it into an HTML img src attribute: <img src="data:image/jpeg;base64,..." />. This embeds the image directly in your HTML without a separate server request. Best for icons and small images under 10 KB; larger images slow down page load because they block HTML parsing.
Base64 handles all byte values including spaces — there is no special treatment needed. The input is converted to bytes first (via UTF-8 encoding), then every 3 bytes become 4 Base64 characters. A space character (0x20) is encoded as part of the byte stream normally. The issue arises if you need to embed Base64 output inside a URL — in that case, use URL-safe Base64 (replace + with - and / with _) so the encoded string doesn't break URL parsing.
Standard Base64 is deterministic — identical input always produces identical output. However, if the character encoding changes (UTF-8 vs Latin-1 vs Windows-1252), the underlying bytes differ and the Base64 output changes. This tool always uses UTF-8 encoding. If your Base64 output differs from another tool's output, check whether both are encoding the input text in the same character set.
All Base64 encoding and decoding runs entirely in your browser's JavaScript engine. Your input — including API keys, credentials, tokens, and file content — is never transmitted to any server.
Encoding and decoding are exact and reversible — decode(encode(x)) always returns x for valid input. The 33% size overhead is a mathematical property of the 6-bit-to-8-bit mapping, not a tool limitation.
Advertisement
Reviewed by EverydayTools Editorial Team on 2026-06-02.