Base64 Is Everywhere (You Just Don’t See It)
Every time you open an email attachment, that file traveled as Base64 text through the MIME protocol. Every JWT token your app issues? Three Base64URL-encoded segments joined by dots. That tiny inline icon in your CSS? A data:image/png;base64,... string.
Base64 takes binary data — bytes that might include unprintable characters, null bytes, or control codes — and converts it into 64 safe ASCII characters: A-Z, a-z, 0-9, plus + and /. The tradeoff is size. Base64 output is about 33% larger than the original.
This tool handles both encoding and decoding, with proper UTF-8 support so emojis, Arabic, Chinese, and accented characters don’t get mangled.
When You’ll Actually Need This
Debugging API responses. You’re integrating with a third-party API and one of the JSON fields comes back as a giant Base64 blob. Paste it here to see what’s inside — could be a PDF, an image, or a nested JSON object.
Inspecting JWTs. A user’s login token isn’t working. Grab the JWT, and you can decode the header and payload sections (they’re Base64URL-encoded) to check if it’s expired, issued for the wrong audience, or missing claims. The JWT Decoder does this automatically, but sometimes you want to see the raw encoding.
Embedding small assets. Got a 2KB SVG icon? Base64-encode it and drop it directly into your CSS as a data URI. One fewer HTTP request. Don’t do this with anything over ~10KB though — the 33% size increase isn’t worth it for larger files.
Email forensics. Raw email sources (what you see when you click “Show original” in Gmail) contain Base64-encoded attachment blocks. Decode them to extract the actual file data.
Kubernetes secrets. If you’ve ever run kubectl get secret, you’ve seen Base64-encoded values. They’re not encrypted — just encoded so binary data fits in YAML. Decode them here to see the actual connection strings, passwords, or certificates.
How to Use It
Pick Encode or Decode. Paste your input. Click the button. The tool auto-detects whether your input looks like valid Base64, so it’ll nudge you toward the right operation.
Hello, World! encodes to SGVsbG8sIFdvcmxkIQ==. That trailing == is padding — Base64 output has to be divisible by 4 characters, and the padding fills the gap.
Everything runs in your browser. Your data doesn’t leave the page.
Important Distinctions
Base64 isn’t encryption. Anyone can decode it instantly without a key. Don’t rely on it to hide sensitive data. If you need actual protection, use the AES Encrypt / Decrypt tool.
Base64URL is a variant. Standard Base64 uses + and /, which break URLs. Base64URL swaps them for - and _ and usually drops the padding. JWTs, OAuth tokens, and anything URL-safe will use this variant.
UTF-8 matters. A lot of Base64 tools choke on multi-byte characters because they skip the UTF-8 encoding step. If you encode a Japanese string and get garbage when decoding, the tool probably only handles ASCII. This one doesn’t have that problem.
The ROT13 Encoder / Decoder is also available on Toolsvu, though it’s a completely different beast — a letter-substitution cipher for casual obfuscation, not a binary encoding scheme.