Green line-art document with a folded corner and an arrow pointing to a block of scrambled characters, on a dark grid

last verified · 2026-05-12

How to decode Base64 (and encode it back)

Encode text to Base64 and decode any Base64 string back, in seconds. Plus URL-safe Base64, padding rules, and the common gotchas.

encoding

Trace Warrior Team

4 min read

Base64 is the most common way to push arbitrary bytes through a text-only channel. JWTs. Embedded images. Email attachments. API tokens. If you work near code at all, you encode and decode Base64 several times a week.

This guide covers both directions of the round trip, what the variants are, and how to spot the cases where a "broken" Base64 string is actually just URL-safe.

What Base64 is, in 30 seconds

Base64 takes any binary data and represents it using only 64 printable ASCII characters: A-Z, a-z, 0-9, plus + and /. Three input bytes become four output characters. If the input isn't a multiple of three bytes, the output is padded with = characters to make it line up.

That's the entire algorithm. The trade-off is that the encoded form is ~33% larger than the original, but it survives every text-only transport in existence.

Step 1. Open the Base64 tool

Open the Base64 Encoder / Decoder. Two text panes side by side and a mode toggle.

Step 2. Pick a direction

Toggle between encode and decode at the top.

Encode - paste plain text into the left pane, get Base64 on the right.
Decode - paste Base64 into the left pane, get plain text on the right.

The conversion is live. Every keystroke updates the output. There's no submit button.

Step 3. Encode plain text to Base64

Paste your text on the left. The tool encodes immediately:

Input:  Hello
Output: SGVsbG8=

A few practical notes:

The encoding is UTF-8. Works with emoji, accented characters, anything Unicode.
Spaces, newlines, and special characters are all encoded faithfully and decoded back identically.
The trailing = is padding to make the output length a multiple of 4. Hello is 5 bytes (one short of two complete 3-byte groups), so the encoding has one padding byte.

Step 4. Decode Base64 back to text

Paste your Base64 on the left, switch to Decode mode. The output is the original.

Input:  SGVsbG8=
Output: Hello

The tool is permissive about input:

Trailing padding (=) is required by strict implementations but our tool tolerates it being missing.
URL-safe Base64 (- and _ instead of + and /) is auto-detected and decoded.
Whitespace and line breaks inside the input are silently stripped.

If decoding fails, you'll see an error in red below the output pane. Almost always this means the input isn't valid Base64. Maybe it's hex, maybe it's URL-percent-encoded, maybe there are stray characters from a copy-paste.

Step 5. Handle the URL-safe variant

There are two common Base64 alphabets:

Standard - uses +, /, and = for padding. The original RFC 4648 alphabet.
URL-safe - replaces + with -, / with _, and often drops the = padding entirely. Standard for JWTs, signed URLs, anything that goes into a URL or filename.

If your input has - or _ and looks like Base64 but won't decode in a strict decoder, it's the URL-safe variant. Our Base64 tool handles both transparently.

JWT example:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

A JWT is three URL-safe Base64 strings separated by dots. Decode each segment separately to read the header, the payload, and the signature.

Step 6. Encode binary as Base64

For binary files (images, certificates, signed payloads), Base64 is how you embed them in JSON, YAML, or environment variables.

The web tool handles UTF-8 text. For binary content, you'll typically encode at the command line:

base64 -i image.png > image.b64

Or in code:

const buffer = await fs.readFile('image.png');
const b64 = buffer.toString('base64');

Then paste the resulting string into the decoder to verify it round-trips cleanly.

Common Base64 mistakes

Confusing Base64 with hex. Both are text representations of binary. Hex uses 0-9 and a-f. Base64 uses A-Z, a-z, 0-9, +, /. They're not interchangeable. If you see only hex characters, use the Binary to Text tool instead.

Trying to decode Base64-encoded JSON as a single step. A JWT payload is Base64-URL-safe-encoded JSON. Decode the Base64 first, then parse the result as JSON. Two operations, not one.

Treating Base64 as encryption. Base64 is encoding, not encryption. Anyone with the encoded string can decode it. If you see "encrypted Base64 password" in someone's config, they're confused.

Sending Base64 in URLs without URL-safe. A standard Base64 string with + and / will break when used in a URL. + becomes a space and / is interpreted as a path separator. Use URL-safe Base64 (- and _) for anything going into a URL, query string, or filename.

Forgetting padding. Standard Base64 wants = padding to make the length a multiple of 4. Strict decoders will reject input without it. If you control the encoder, always include the padding. If you're decoding someone else's output, our tool tolerates missing padding.

Quick reference

Input length (bytes)	Output length (chars)	Padding
1	4	`==` (2 chars)
2	4	`=` (1 char)
3	4	none
4	8	`==`
5	8	`=`
6	8	none

Pattern: output length is always a multiple of 4, and (output_len * 3) - padding_count = input_byte_count.

Related tools

URL Encoder / Decoder - for the URL-percent-encoding case (%20 for spaces, etc).
Binary to Text - for hex, decimal, or binary representations.
Hash Generator - Base64 is not a hash; it round-trips. If you need a one-way fingerprint, use SHA-256.

TL;DR

Open the Base64 Encoder / Decoder.
Switch between encode and decode modes.
Paste your input on the left, copy the output on the right.
URL-safe Base64 (with - and _) is auto-handled.
If decode fails, check whether the input might be hex (only 0-9, a-f) or URL-encoded (%20, etc) instead.