Free Base64 encoder decoder

Encode text to Base64 and decode Base64 back to text or a file, with the URL-safe alphabet, padding, and 76-character MIME wrapping under your control. Everything is converted on your device, so the token or config blob you paste is never sent to a server.

Options shape the encoded output. Decoding accepts either alphabet, padded or not, wrapped or not.

0 characters · 0 bytes (UTF-8)

Copied to clipboard

How the Base64 encoder and decoder works

1

Choose encode or decode

Paste text to encode, or paste Base64 to read it back. In file mode you can drop a file up to 5 MB, or rebuild a file from Base64.

2

Set the alphabet and padding

Switch to the URL-safe alphabet, drop the trailing padding, or wrap the output at 76 characters for MIME. Text is treated as UTF-8 throughout.

3

Copy or download

Copy the result, save it as a text file, or download the decoded bytes as a real file. No network request is made at any point.

Private by design: nothing leaves your browser

The things people decode are rarely harmless. An API token, a Kubernetes secret, a basic-auth header, half a config file. Plenty of online decoders post that string to a backend before they show you anything. This one does the work in the page:

01

100% client-side

Conversion uses TextEncoder, TextDecoder, and the browser's own btoa and atob. Files are read with FileReader on your device. No request carries your input anywhere.

02

Nothing stored or logged

There is no account and no history. What you paste lives in the tab's memory and is gone when you reload or close it.

03

Works offline

Once the page has loaded you can pull the network cable and it keeps working, which is the simplest proof that nothing is being uploaded.

Base64 is encoding, not encryption

  1. Anyone can decode Base64 without a key. It protects nothing, so never use it to hide a password or a secret.
  2. Its job is to move bytes safely through channels that expect text, such as email bodies, JSON fields, and data URIs.
  3. Encoding grows the payload by about a third, since every three bytes become four characters.
  4. If the value must stay unreadable, encrypt it first, then Base64 the ciphertext.

Built for developers and security-conscious teams

Anyone who decodes a string they would rather not hand to a stranger's server. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.

Developers

Read a basic-auth header, unpack a Kubernetes secret, check what a webhook sent, or turn a small icon into a data URI without adding a build step.

Security & IT teams

Decode a suspicious payload from a log or a phishing sample during triage, on a page that does not forward it to a third party.

API integrators

Match the exact variant a partner expects, whether that is URL-safe without padding for a JWT segment or 76-character lines for a MIME attachment.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.

More free privacy tools

Browse all privacy tools

These tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.

Frequently asked questions

Is this Base64 encoder and decoder free?

Yes, completely free with no sign-up and no limit on how many strings you convert. Files are capped at 5 MB, which is there only to keep the page responsive.

Is anything I paste sent to a server?

No. Encoding and decoding run in your browser with the built-in TextEncoder, TextDecoder, and the browser's own Base64 functions. The page makes no network request to convert anything, so there is nothing to log or store. Worth caring about, because the strings people decode are often API tokens, private keys, and config blobs, and plenty of online decoders post the input to a backend before they show you a result.

Is Base64 encryption?

No. Base64 is an encoding, not a cipher. It rewrites bytes into 64 printable characters so they survive systems that expect text, and anyone can reverse it without a key. Never use it to hide a password or a secret. If you need the value to be unreadable, encrypt it.

What is URL-safe Base64?

It is the same encoding with two characters swapped: the standard alphabet uses + and /, which have their own meaning in a URL and in a filename, so the URL-safe variant defined in RFC 4648 uses - and _ instead. JWTs use it, and so do most query-string parameters. Turn on the URL-safe option here and the decoder accepts either alphabet on the way back.

Why does my Base64 string end in = signs?

Base64 works in blocks of three bytes, and the = characters pad the last block when the input length is not a multiple of three. One = means the last block held two bytes, and two = means it held one. Many systems accept unpadded Base64 and JWTs strip the padding entirely, so this tool lets you drop it. The decoder restores the padding for you either way.

What is the 76-character line wrapping option?

MIME, defined in RFC 2045, requires Base64 to be split into lines of at most 76 characters, which is why the encoded parts of an email look chopped into even blocks. Turn on wrapping when the value goes into an email header or a PEM-style block. Leave it off for a URL, a JSON field, or a data URI, where a newline would break the value. The decoder ignores whitespace, so it reads wrapped input fine.

Can I encode a file or an image?

Yes. Switch to file mode, then drop or pick a file up to 5 MB and you get its Base64 along with a ready-to-paste data URI for CSS or an img tag. Decoding works the other way too: paste Base64 or a data URI, and the tool rebuilds the bytes and downloads them as a file. The file is read with FileReader on your device and never uploaded.

Why does my decode fail with an invalid character error?

Base64 only contains A to Z, a to z, 0 to 9, and the two alphabet characters (+ and / for standard, - and _ for URL-safe), plus trailing =. Anything else means the string was truncated, double-encoded, or copied with something extra attached. A length that leaves a remainder of one after dividing by four is also impossible in valid Base64 and usually means a character was dropped in a copy and paste.

Can I use this offline?

Yes. Once the page has loaded you can disconnect from the internet and keep encoding and decoding, because everything runs in your browser.

Do you store what I paste or upload?

No. There is no backend for this tool, so nothing you type, paste, or drop in is stored, logged, or transmitted anywhere. The conversion happens in your browser's memory and disappears when you close or refresh the tab.

How is this different from a paid Base64 tool?

Most of the paid or ad-heavy converters run the same encode/decode logic, just behind a server round trip, a sign-up wall, or a usage cap. This one runs client-side with no account, no rate limit beyond the 5 MB file cap, and no data leaving your device, so there is nothing to pay for.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.