Base64 Decoder Guide: Decode Strings, Tokens & Data URIs Online

What Is Base64 and Why Does It Exist?

Binary data — images, audio, executable files, cryptographic keys — contains byte values that have special meaning in text protocols. A null byte (\x00) terminates strings in C. Control characters (\x01–\x1F) can corrupt email headers. Bytes above 127 are ambiguous without encoding declarations.

Base64 solves this by representing any byte sequence using only 64 printable ASCII characters: A–Z, a–z, 0–9, +, and /, with = for padding. The result is always safe to embed in text protocols, URLs, HTML attributes, and JSON strings.

The tradeoff: Base64-encoded data is approximately 33% larger than the original binary (every 3 bytes become 4 characters).

How Base64 Encoding Works

Base64 takes 3 bytes (24 bits) at a time and splits them into four 6-bit groups. Each 6-bit group indexes into the Base64 alphabet:

Input:  "Man"
Binary: 01001101 01100001 01101110
Groups: 010011 010110 000101 101110
Base64: T      W      F      u  → "TWFu"

If the input isn't divisible by 3, padding characters (=) are added:

• 1 remaining byte → 2 Base64 chars + ==
• 2 remaining bytes → 3 Base64 chars + =

URL-Safe Base64

Standard Base64 uses + and /, which have special meaning in URLs (+ = space, / = path separator). URL-safe Base64 replaces them:

You'll encounter URL-safe Base64 in:

• JWT tokens (all three segments use URL-safe Base64)
• OAuth2 code_verifier and code_challenge (PKCE)
• URL-safe cookie values
• S3 presigned URL components

Our decoder handles both variants automatically — paste either format and it decodes correctly.

Where You'll Find Base64 in Practice

JWT segments

A JWT (header.payload.signature) uses URL-safe Base64 for the header and payload:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9
  ↓ decode ↓
{"alg":"RS256","typ":"JWT"}

Paste any JWT segment into our decoder to inspect it. For full JWT analysis including claims and expiry, use our JWT Debugger which decodes all three segments and translates timestamps automatically.

HTTP Basic Authentication

The Authorization: Basic header encodes username:password in Base64:

Authorization: Basic dXNlcjpwYXNzd29yZA==
  ↓ decode ↓
user:password

This is why Basic Auth over plain HTTP is dangerous — the credentials are trivially readable. They need HTTPS for protection. Decode any Basic Auth header to immediately see the embedded credentials — useful for debugging but alarming if you find it in logs.

Data URIs (embedded images in CSS/HTML)

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...">

The Base64 portion is the actual PNG file encoded as text. Decode it to verify it's the right image type, extract the binary for inspection, or check file size before deciding whether to keep it embedded or serve it as a separate asset.

API authentication tokens

Many OAuth and API tokens are Base64-encoded opaque strings. While decoding an opaque token won't reveal meaningful data (they're designed to be opaque), decoding can help identify the format (is it actually a JWT? A UUID? A hex string?) when troubleshooting authentication issues.

Email MIME content

Email bodies with non-ASCII characters are often Base64-encoded in MIME:

Content-Transfer-Encoding: base64

SGVsbG8sIHdvcmxkISDwn5iK
  ↓ decode ↓
Hello, world! 😊

UTF-8 Handling — The Common Pitfall

JavaScript's native atob() function only handles Latin-1 characters (code points 0–255). Decoding Base64 that contains multi-byte UTF-8 sequences — accented characters, CJK characters, emoji — with raw atob() produces corrupted output:

// Wrong — corrupts multi-byte characters
atob("8J+YiQ==")  // Should be "😉" but returns garbage

// Correct — handles full UTF-8
const bytes = Uint8Array.from(atob("8J+YiQ=="), c => c.charCodeAt(0));
new TextDecoder().decode(bytes);  // → "😉"

Our decoder uses the TextDecoder API with proper UTF-8 handling — international text, emoji, and multi-byte sequences decode correctly every time.

Base64 Is Not Encryption

This is the most important thing to understand: Base64 is encoding, not encryption. It provides zero confidentiality. Any Base64 string can be decoded by anyone, instantly, without a key.

Base64-encoded data in a URL or log file is fully readable. Storing a password as Base64 is equivalent to storing it in plaintext. The encoding is purely for transport compatibility, not security.

For actual encryption: use AES-256-GCM (symmetric) or RSA/ECDSA (asymmetric) via the Web Crypto API or your backend's crypto library. For secure password storage, use Argon2id or bcrypt — both covered in our Password Generator guide.

Security: Decode Locally

Auth tokens, credentials embedded in configs, and API payloads in Base64 are sensitive. Sending them to a cloud-based decoder means the raw bytes traverse a network, potentially through proxy logs, CDN edge nodes, and the decoder service's own logs.

Our decoder runs atob() and TextDecoder entirely in your browser — no bytes leave your tab. This is the correct approach for decoding production configuration files, log snippets, and auth tokens during debugging.

If you need to share a decoded result with a colleague, sanitize it first with our PII Redactor to remove any embedded credentials or identifiers before posting in tickets or chat.

Checking Raw Byte Sequences

After decoding, if you want to inspect the raw hex values of individual bytes in the decoded output, use our Universal Encoder to see the hex and binary representations. This is useful for debugging encoding issues where you need to verify exactly which bytes are present.