Is base64 encryption?

No. Base64 is encoding, not encryption. Anyone can decode it instantly. Never use base64 to 'hide' passwords, tokens, or private data.

Why does base64 text contain padding characters like '=' at the end?

Base64 encodes input in 3-byte chunks. When the input length isn't a multiple of 3, '=' pads the output to a multiple of 4 characters. Some decoders tolerate missing padding, others reject it.

Why does my base64 string sometimes contain '+', '/', and '=' instead of just letters?

Standard Base64 (RFC 4648) uses 64 characters: A-Z, a-z, 0-9, +, /. The '+' and '/' aren't URL-safe (they have special meanings in URLs). For URLs and filenames, use Base64URL — replaces '+' with '-' and '/' with '_'. JWT tokens use Base64URL. Many APIs accept either; some require specifically one variant. If decoding fails, try swapping characters: '-' to '+' and '_' to '/' before decoding.

How much does Base64 inflate file sizes?

Roughly 33% larger. 100KB binary becomes 133KB Base64. This is unavoidable — Base64 represents 3 bytes of binary as 4 ASCII characters. For HTTP transmission, gzip/brotli compression typically recovers most of the inflation (Base64 has high redundancy that compresses well). For email attachments and data URIs, the 33% overhead is the cost of safe text transmission.

Should I use Base64 to embed images in HTML / CSS?

Useful for: small icons (under 5KB), email-safe images, single-page applications avoiding extra HTTP requests. Avoid for: images over 10KB (file size penalty + cache miss — every page reload re-downloads), images shared across pages (lose browser caching benefits), images that change frequently. Best practice: Base64 for tiny critical-path icons (under 1KB), regular img tags for everything else. CSS background-image with Base64 is convenient for tiny patterns but loses caching efficiency.

How do I decode a Base64 image data URL?

Strip the prefix 'data:image/png;base64,' (or similar) before decoding. Different image types have different prefixes: data:image/png;base64,, data:image/jpeg;base64,, data:image/svg+xml;base64,. After stripping, decode the Base64 to binary and save as the appropriate file extension. In JavaScript: base64-string → atob() → binary string → Uint8Array → Blob → URL.createObjectURL() for display. In Python: base64.b64decode() returns bytes you can write to a file.

Is this Base64 encoder safe for sensitive data?

Yes — encoding and decoding both happen entirely in your browser using the native btoa() / atob() APIs (with a UTF-8 wrapper for non-ASCII). Nothing crosses the network; you can verify by opening DevTools Network tab and confirming no requests fire when you encode. You can disconnect from the internet and the tool still works. That said: Base64 is NOT encryption. The output is fully reversible by anyone who sees it. If your data needs confidentiality (passwords, PII, secrets), encrypt with AES-256-GCM or similar BEFORE Base64-encoding. Many 'free Base64 sites' send your data to their server and log it; this one doesn't, but always verify any tool's network behavior before pasting sensitive content.

How do I encode Base64 from the command line?

macOS/Linux: 'echo -n "hello" | base64' returns 'aGVsbG8='. The -n flag suppresses the trailing newline (otherwise base64 encodes the newline too — common gotcha). To decode: 'echo "aGVsbG8=" | base64 -d'. For files: 'base64 -i input.png > output.txt' encodes; 'base64 -d -i output.txt > input.png' decodes. Windows: 'certutil -encode input.png output.txt' (adds header/footer lines you must strip) or PowerShell '[Convert]::ToBase64String([IO.File]::ReadAllBytes("input.png"))'. Python one-liner: 'python -c "import base64,sys; print(base64.b64encode(sys.stdin.buffer.read()).decode())"'. All produce identical RFC 4648 output.

What's the best use case for Base64 in modern web development?

Best uses: (1) Inline data URIs for tiny critical-path images and SVG icons (under 1-2KB) to avoid an HTTP request — common for above-the-fold logos. (2) JWT tokens (Base64URL-encoded for URL safety in Authorization headers). (3) Email attachments (MIME multipart requires Base64 for binary). (4) Embedding small binary data in JSON APIs that don't support binary natively. (5) Storing tiny binary blobs in cookies or localStorage. Avoid for: large images (>10KB — caching benefit lost), file uploads (multipart/form-data is faster), 'hiding' data (not encryption), and database storage (use BLOB/BYTEA columns instead). Modern HTTP/2 multiplexing has reduced the case for inline data URIs significantly.

Developer Utilities · Free tool

Base64 Encoder & Decoder

Encode text to base64 or decode base64 back to text. UTF-8 safe. Runs entirely in your browser.

Updated June 2026

Input

Output

Found this useful?Email Buy Me a Coffee

What it does

A free base64 encoder and decoder. Works in both directions, handles UTF-8 correctly (emojis, accented characters, non-Latin scripts). Everything runs locally in your browser, so you can paste API tokens, JWT payloads, or sensitive identifiers without sending them to a server. Built on the browser’s native btoa() and atob() with UTF-8 wrappers — same algorithm every modern browser implements.

Base64 encodes binary data using only 64 ASCII characters (A-Z, a-z, 0-9, +, /), with ‘=’ padding to make output length a multiple of 4. The cost is 33% size inflation: 100 bytes of binary becomes 134 bytes of base64. The benefit is that the output is safe to embed in URLs, email bodies, JSON strings, XML, JavaScript source — anywhere binary bytes would break the surrounding format. RFC 4648 defines the standard. Variants exist: Base64URL (replaces + with -, / with _) for URL-safe encoding used in JWTs, and MIME Base64 for email with specific line-length wrapping.

Common uses: embedding small images in CSS or HTML as data URIs (icons, sprites), encoding binary data in JSON API payloads (file uploads, signatures), Basic Auth headers (‘Authorization: Basic <base64(user:password)>’), JWT token decoding to inspect claims, MIME email attachments, and obfuscating data in URLs (note: this is encoding, NOT encryption — anyone can decode it). For larger binary uploads, use multipart/form-data or signed URLs to S3/R2/GCS instead of inflating via Base64.

Embed this tool on your siteShow snippet

Paste this snippet into any page. Loads on-demand (lazy), no tracking scripts, and sized to most dashboards. Replace the height to fit your layout.

<iframe src="https://freetoolarena.com/embed/base64-encoder-decoder" width="100%" height="720" frameborder="0" loading="lazy" title="Base64 Encoder & Decoder" style="border:1px solid #e2e8f0;border-radius:12px;max-width:720px;"></iframe>

Embed docs →

Example input & output

Input

Hello, World! 👋

Output

SGVsbG8sIFdvcmxkISDwn5GL

Note the UTF-8 emoji is preserved across the round-trip. ASCII-only base64 libraries sometimes mangle Unicode.

How to use it

Paste text in the input.
Click Encode to convert to base64.
Click Decode to convert back to plain text.
Copy the result with one click.

How it works

Key takeaways

Base64 is encoding, not encryption — anyone can decode it instantly. Never use it to “hide” passwords or tokens.
Output is 33% larger than input (4 chars per 3 bytes). HTTP gzip/brotli typically recovers most of that on transmission.
Base64 vs Base64URL: JWTs use the URL variant (- and _ replace + and /); standard APIs use classic Base64.
For files over ~100KB, use multipart/form-data uploads or signed-URL uploads (S3, R2, GCS) instead of Base64 inlining — the size penalty plus client-side encode CPU adds up.

Browser’s native btoa() + atob() with a UTF-8 wrapper for non-ASCII (the raw functions only handle Latin-1). RFC 4648 standard: A-Z + a-z + 0-9 + “+/” with “=” padding.

Advanced: Base64 vs Base64URL + size implications

Two variants matter. Base64: classic with “+/” characters. Base64URL: replaces “+” with “-” and “/” with “_” for URL safety. JWTs use Base64URL. Decoding mixed input requires checking which variant. Size cost: 33% inflation (4 output chars per 3 input bytes). Modern compression (gzip/brotli) recovers most of this on HTTP transmission, but URL-embedded Base64 stays inflated. See the JWT decoder for a related token-decoding tool and the Base64 glossary entry.

How this compares to alternatives

vs Linux base64 CLI: identical RFC 4648 output; CLI handles streaming for large files. vs Python base64.b64encode(): same encoding; Python returns bytes, JavaScript returns a string. vs decoding sites that send data to a server: many free sites log Base64 input. We never transmit your data. View Network tab in DevTools to verify.

Common mistakes when using this tool

Treating Base64 as encryption. It’s reversible by anyone. Use AES or similar for actual confidentiality.
Mixing Base64 and Base64URL. JWTs and URL-embedded data use URL variant; standard APIs use classic. Convert by replacing chars before decoding.
Forgetting padding. = padding to make length multiple of 4 is required by some strict decoders, optional in others. Standard says required; tolerate missing if you control both ends.
Using Base64 for large binary uploads. 33% size penalty + client-side encode CPU cost. Use multipart/form-data or signed-URL uploads (S3, R2, GCS) for files over 100KB.

Learn more about Base64

Base64 vs Base64URL — the two variants, when each is required, and how to convert between them.
Data URI images — when to inline images as Base64 vs serve them as files, with size break-even math.
JWT token structure — the header.payload.signature anatomy and why JWTs use Base64URL specifically.
JWT glossary entry — the short definition and how JWTs differ from session cookies.

When to use this tool

Any time text/binary data must travel through a text-only channel (JSON, URL, email).
Debugging API responses that include base64 blobs.
Building HTTP Basic Auth headers manually.

When not to use it

As encryption or obfuscation — base64 is trivially reversible, not secure.
For large binary files (base64 inflates size by ~33%; use real uploads instead).
When your language/runtime already has a built-in encoder — use that for production code.

Common use cases

Embedding small images in CSS as data URIs.
Decoding the payload of a JWT to inspect claims (without verifying the signature).
Encoding binary data for safe transport in JSON APIs.
Generating Basic Auth headers for testing an API.

Frequently asked questions

Is base64 encryption?: No. Base64 is encoding, not encryption. Anyone can decode it instantly. Never use base64 to 'hide' passwords, tokens, or private data.
Why does base64 text contain padding characters like '=' at the end?: Base64 encodes input in 3-byte chunks. When the input length isn't a multiple of 3, '=' pads the output to a multiple of 4 characters. Some decoders tolerate missing padding, others reject it.
Why does my base64 string sometimes contain '+', '/', and '=' instead of just letters?: Standard Base64 (RFC 4648) uses 64 characters: A-Z, a-z, 0-9, +, /. The '+' and '/' aren't URL-safe (they have special meanings in URLs). For URLs and filenames, use Base64URL — replaces '+' with '-' and '/' with '_'. JWT tokens use Base64URL. Many APIs accept either; some require specifically one variant. If decoding fails, try swapping characters: '-' to '+' and '_' to '/' before decoding.
How much does Base64 inflate file sizes?: Roughly 33% larger. 100KB binary becomes 133KB Base64. This is unavoidable — Base64 represents 3 bytes of binary as 4 ASCII characters. For HTTP transmission, gzip/brotli compression typically recovers most of the inflation (Base64 has high redundancy that compresses well). For email attachments and data URIs, the 33% overhead is the cost of safe text transmission.
Should I use Base64 to embed images in HTML / CSS?: Useful for: small icons (under 5KB), email-safe images, single-page applications avoiding extra HTTP requests. Avoid for: images over 10KB (file size penalty + cache miss — every page reload re-downloads), images shared across pages (lose browser caching benefits), images that change frequently. Best practice: Base64 for tiny critical-path icons (under 1KB), regular img tags for everything else. CSS background-image with Base64 is convenient for tiny patterns but loses caching efficiency.
How do I decode a Base64 image data URL?: Strip the prefix 'data:image/png;base64,' (or similar) before decoding. Different image types have different prefixes: data:image/png;base64,, data:image/jpeg;base64,, data:image/svg+xml;base64,. After stripping, decode the Base64 to binary and save as the appropriate file extension. In JavaScript: base64-string → atob() → binary string → Uint8Array → Blob → URL.createObjectURL() for display. In Python: base64.b64decode() returns bytes you can write to a file.
Is this Base64 encoder safe for sensitive data?: Yes — encoding and decoding both happen entirely in your browser using the native btoa() / atob() APIs (with a UTF-8 wrapper for non-ASCII). Nothing crosses the network; you can verify by opening DevTools Network tab and confirming no requests fire when you encode. You can disconnect from the internet and the tool still works. That said: Base64 is NOT encryption. The output is fully reversible by anyone who sees it. If your data needs confidentiality (passwords, PII, secrets), encrypt with AES-256-GCM or similar BEFORE Base64-encoding. Many 'free Base64 sites' send your data to their server and log it; this one doesn't, but always verify any tool's network behavior before pasting sensitive content.
How do I encode Base64 from the command line?: macOS/Linux: 'echo -n "hello" | base64' returns 'aGVsbG8='. The -n flag suppresses the trailing newline (otherwise base64 encodes the newline too — common gotcha). To decode: 'echo "aGVsbG8=" | base64 -d'. For files: 'base64 -i input.png > output.txt' encodes; 'base64 -d -i output.txt > input.png' decodes. Windows: 'certutil -encode input.png output.txt' (adds header/footer lines you must strip) or PowerShell '[Convert]::ToBase64String([IO.File]::ReadAllBytes("input.png"))'. Python one-liner: 'python -c "import base64,sys; print(base64.b64encode(sys.stdin.buffer.read()).decode())"'. All produce identical RFC 4648 output.
What's the best use case for Base64 in modern web development?: Best uses: (1) Inline data URIs for tiny critical-path images and SVG icons (under 1-2KB) to avoid an HTTP request — common for above-the-fold logos. (2) JWT tokens (Base64URL-encoded for URL safety in Authorization headers). (3) Email attachments (MIME multipart requires Base64 for binary). (4) Embedding small binary data in JSON APIs that don't support binary natively. (5) Storing tiny binary blobs in cookies or localStorage. Avoid for: large images (>10KB — caching benefit lost), file uploads (multipart/form-data is faster), 'hiding' data (not encryption), and database storage (use BLOB/BYTEA columns instead). Modern HTTP/2 multiplexing has reduced the case for inline data URIs significantly.

See how this compares

Head-to-headBase64 vs Hex encodingBase64 vs Hex encoding compared: size overhead, readability, URL safety, and typical use cases. Free Base64 encoder/decoder included.

Learn more

Explore more developer utilities tools

100% in-browserNo downloadsNo sign-upMalware-freeHow we keep this safe →