Base64 Encoder & Decoder

What is Base64 Encoding?

Base64 is a binary-to-text encoding scheme that converts binary data into a string of printable ASCII characters using a 64-character alphabet: A–Z, a–z, 0–9, +, and /. The = character is used as padding at the end when necessary.

Defined in RFC 4648, Base64 is used extensively in email (MIME), SSL/TLS certificates, HTTP Basic authentication, embedding images in CSS/HTML, and storing binary data in text-based fields. One critical thing to understand: Base64 is not encryption — it is purely an encoding scheme. Anyone who has access to the Base64 string can trivially decode it.

How Base64 Works

The Base64 algorithm processes input data in groups of 3 bytes (24 bits). Each 3-byte group is split into four 6-bit values, and each 6-bit value is mapped to a character in the Base64 alphabet. This means every 3 bytes of input produce 4 characters of output — an overhead of approximately 33%.

Step-by-step example with "Man" (3 bytes):

• M = 0x4D = 01001101
• a = 0x61 = 01100001
• n = 0x6E = 01101110
• Combined bits: 010011 010110 000101 101110
• Mapped: T, W, F, u → "TWFu"

If the input length is not a multiple of 3, one or two = padding characters are appended to the output to make the total length a multiple of 4.

UTF-8 and Unicode Support

JavaScript's native btoa() only handles Latin-1 characters and throws a DOMException if you pass Unicode text (Vietnamese, Chinese, emoji). This tool solves that with a UTF-8 safe approach using TextEncoder and TextDecoder:

This first converts the string to a byte array using UTF-8, then converts those bytes to a binary string that btoa() can handle safely.

Base64 vs URL Encoding vs Hex

URL-safe Base64 (Base64url)

Standard Base64 uses + and / characters — both of which have special meaning in URLs. JWTs (JSON Web Tokens) and many modern APIs use Base64url instead: replace + with -, replace / with _, and strip the trailing = padding.

To convert standard Base64 to Base64url in JavaScript: str.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')

Common Base64 Mistakes

• "Invalid character" error: Occurs when the string contains whitespace, newlines, or non-Base64 characters. Strip whitespace before decoding.
• Padding errors: Base64 strings must be a multiple of 4 characters. If your string is missing = padding, add it back before decoding.
• Base64url confusion: If your string contains - or _, it is Base64url — convert back to standard before using atob().
• Character encoding: Always specify UTF-8 when working with non-ASCII text. Inconsistent encoding between encoder and decoder causes garbled output.
• Security mistake: Never use Base64 as a security measure. It provides zero protection — it is not encryption, just encoding.

Real-World Uses of Base64

HTTP Basic Authentication: The header Authorization: Basic dXNlcjpwYXNz — the value after "Basic" is the Base64 encoding of username:password. Always use HTTPS alongside Basic auth, since Base64 is trivially decoded.

Data URIs: Embed images directly into HTML or CSS without a separate file request: <img src="data:image/png;base64,iVBORw0...">. Ideal for small images, icons, and email templates.

JWT (JSON Web Token): JWT header and payload are Base64url encoded. The signature is cryptographically signed with a secret key. You can decode the header and payload without any key, but you cannot forge a valid signature.

API payloads: When sending binary data (PDFs, images, files) through a JSON API, Base64 is the standard way to serialize binary into a string field without worrying about byte ordering or encoding issues.

Using Base64 in Your Code

Every major programming language ships with built-in Base64 support. In JavaScript/TypeScript: btoa()/atob() for the browser, or Buffer.from(str, 'base64') in Node.js. Python has the base64 module with support for all variants. Go, Java, Rust, PHP — all have standard library implementations.

See the Code Snippets card above for copy-paste ready examples in JavaScript, Python, and cURL for both encoding and decoding operations.

Base64 and Security Considerations

Since Base64 is not encryption, never store sensitive data like passwords, API secrets, or private keys encoded only in Base64. For actual security, combine Base64 with real cryptography: use AES or ChaCha20 for encryption, then Base64 encode the ciphertext for transport. The Base64 layer is purely for safe string transmission.

Another consideration: Base64-encoded content is indexed by search engines if embedded in HTML. If your data should stay private, keep it server-side and never expose it in a client-rendered page.