Base64 is the most widely-deployed binary-to-text encoding on the internet. It powers email attachments (MIME), inline images in HTML (data: URIs), JWT tokens, Basic Auth headers, public-key cryptography (PEM format), and countless API payloads that need to ship binary data through text-only channels. This Base64 encoder/decoder runs entirely in your browser using the native btoa() and atob() functions, with proper UTF-8 handling so non-ASCII text (emoji, CJK, accented characters) round-trips perfectly.
How Base64 Encoding Works
Base64 takes 3 bytes of binary data (24 bits) and represents them as 4 ASCII characters (6 bits each), using an alphabet of A-Z a-z 0-9 + /. If the input length isn't a multiple of 3, the output is padded with = characters. The size overhead is exactly 4/3 (about 33% larger than the binary source), which is the cost of being safe to embed in JSON, URL paths, HTTP headers, and email bodies. Decoding reverses the process. For UTF-8 strings, this tool encodes the bytes of the UTF-8 representation (not the JavaScript UTF-16 code units), so multi-byte characters survive the round trip.
When to Use Base64
- Inline images —
data:image/png;base64,... URIs for small icons, avatars, or email signatures. - Basic HTTP Auth —
Authorization: Basic <base64-of-user:pass>. - JWT tokens — the header and payload are base64url-encoded JSON; use our JWT decoder for that.
- Public keys — PEM-encoded RSA/ECDSA keys are base64-encoded DER between
-----BEGIN/-----END markers. - API payloads — webhook signatures, file uploads embedded in JSON, binary blobs in MongoDB.
- Email attachments — MIME-encoded email bodies use Base64 for any non-text attachment.
Base64 in Code
// Browser
const encoded = btoa(unescape(encodeURIComponent(text))); // UTF-8 safe
const decoded = decodeURIComponent(escape(atob(encoded)));
// Node.js
const encoded = Buffer.from(text, 'utf-8').toString('base64');
const decoded = Buffer.from(encoded, 'base64').toString('utf-8');
// CLI
echo -n 'hello' | base64 # => aGVsbG8=
echo 'aGVsbG8=' | base64 -d # => hello
Base64 vs. Base64URL
Standard Base64 uses + and / in its alphabet, which break when embedded in URLs (where + means space and / is the path separator). Base64URL (RFC 4648 §5) replaces those with - and _, and often omits the = padding. JWTs, OAuth2 PKCE, and most modern web protocols use Base64URL. This tool emits standard Base64 by default; for Base64URL output, replace +→-, /→_, and strip trailing =. To decode a JWT, use our dedicated JWT decoder.
Common Base64 Errors & How to Fix Them
The most frequent failure when decoding is an “invalid character” error, which almost always means one of three things: the string is actually Base64URL (contains - or _) and needs those characters swapped back to + and / before decoding; the input has stray whitespace or newlines (common when copying a PEM key or a multi-line MIME body — strip them first); or the padding is wrong, because a valid Base64 string’s length must be a multiple of 4, achieved by appending one or two = characters. Another classic bug is mojibake — garbled accented characters or emoji after a round trip — which happens when a tool encodes UTF-16 code units instead of UTF-8 bytes; this tool avoids that by always converting to UTF-8 first, so “café”, “世界”, and emoji all survive intact. Remember that Base64 is an encoding, not encryption — it provides zero confidentiality, since anyone can trivially decode it. Never use it to “hide” passwords or secrets; for that you need real cryptography. Base64 also inflates size by roughly 33%, so for large binary payloads consider whether you actually need text-safety or whether a raw binary transfer would be cheaper.