// base64 encode · decode · file · url-safe · no server

base64decode.org just sent your API payload to their server.

Paste text, an auth header, a JWT segment, or drop a file. Encode or decode Base64 — including URL-safe variant — in your browser tab. Nothing transmits. No account, no ads, no upload. Use it on sensitive payloads without a second thought.

runs in-browser · no server · no upload · no log

Input

Output

Output appears here.

// why in-browser matters

Your Base64 payload isn't inert data — it's usually credentials.

HTTP Basic auth headers are Base64 strings of username:password. JWT payloads contain user IDs, role claims, expiry timestamps. Image data URIs embed actual file bytes. API request bodies can carry PII. Every time you paste any of these into a server-side decoder — base64decode.org, base64guru.com, motobit.com — the bytes transit someone else's infrastructure and land in a server log.

This tool uses btoa() and atob() — built-in browser functions that have been in every browser since 2012. There is no network call at any point. The encode and decode operations happen in the JavaScript engine inside your tab, and the result lives only in your browser's memory.

For file encoding, a FileReader reads the bytes locally. Nothing is sent. The output string is computed in the same tab. You can disconnect from the internet before using this tool — it will still work.

// standard vs url-safe

Standard Base64 breaks in URLs. URL-safe doesn't.

Standard Base64 uses + and / as the 62nd and 63rd characters. Both are reserved in URLs: + means space, / is a path separator. URL-safe Base64 (RFC 4648 §5) replaces + with - and / with _, and omits padding =.

When to use URL-safe: JWT tokens (RFC 7515), base64url-encoded cursor values in paginated APIs, OAuth PKCE code verifiers, anything that ends up in a query string or a URL path segment. The toggle on this tool switches between the two variants — the encoded length is identical, only those three characters change.

// frequently asked questions

Common questions about Base64 Coder

Does this send my data anywhere?

No. Encoding uses the browser's built-in btoa() and decoding uses atob(). File encoding uses the browser's FileReader API. None of these make a network call. You can verify this by opening DevTools, switching to the Network tab, and watching: zero requests fire when you encode or decode. The tool works offline once the page has loaded.

Why does decoding fail with "Invalid Base64"?

The most common cause is URL-safe Base64 being passed to a standard decoder. URL-safe encoding uses - and _ instead of + and /. Toggle "URL-safe" on and retry. The second common cause is missing padding — Base64 must have a length divisible by 4; the tool adds = padding automatically, but some inputs arrive already stripped.

How is the file size different after Base64 encoding?

Base64 encodes 3 bytes as 4 ASCII characters, so the output is always ~33% larger than the input. A 1 MB PNG becomes a ~1.37 MB Base64 string. This overhead is why Base64-encoded images in CSS data URIs are fine for small icons but bad for hero images — the bandwidth cost compounds.

Can I decode a JWT payload here?

Yes — paste the middle segment of a JWT (between the two dots) and decode it. JWTs use URL-safe Base64, so toggle URL-safe on first. The result will be JSON. This tool only decodes the payload; it does not verify the signature. To verify a JWT signature (RS256, HS256, ES256), use the Septim JWT Inspector.

What file types can I encode?

Any binary file. Images (PNG, JPEG, SVG, WebP, GIF), PDFs, fonts (WOFF, WOFF2), audio, video, archives. The FileReader reads raw bytes regardless of extension. Practical limit: files above ~50 MB may slow down the browser because the resulting Base64 string is large to render — encode in chunks or use a command-line tool for very large files.

// decoding Base64 is one thing — inspecting JWT structure is another

If you're working with JWTs, you don't just want the payload decoded — you want the header algorithm, the expiry claim, the signature verification against a public key, and a flag if the token is expired. Septim JWT Inspector does all of that. Still client-side. Still no server. Free.

JWT Inspector →