toolsy.one

Base64 encoder

Encode text to Base64 or decode it back — with full Unicode and URL-safe support, all in your browser.

What Base64 is — and what it is not

Base64 is a binary-to-text encoding. Its job is to take arbitrary bytes — an image, a certificate, a token, a snippet of UTF-8 text — and re-express them using only 64 printable characters that survive channels built for plain text. Email (MIME), JSON payloads, data URIs and HTTP headers all assume text, so wrapping raw bytes in Base64 stops them from being mangled in transit. Crucially, it is not encryption: the transformation is public and reversible by anyone, so it hides nothing.

How the encoding works

The algorithm reads your input three bytes (24 bits) at a time and re-slices those 24 bits into four groups of 6 bits. Each 6-bit group has 64 possible values (26), which maps neatly onto the alphabet A–Z a–z 0–9 + /. When the input length is not a multiple of three, the final group is padded and marked with = signs so the decoder knows how many real bytes to recover.

A worked example

Take the three characters Man (ASCII bytes 77, 97, 110). As 24 bits that is 01001101 01100001 01101110. Re-grouped into 6-bit chunks: 010011, 010110, 000101, 101110 = 19, 22, 5, 46 — which index to T, W, F, u. So Man encodes to TWFu. Encode just M and you get TQ==: one real byte, two padding characters.

Standard vs URL-safe vs related encodings

SchemeAlphabetSize overheadTypical use
Base64 (standard)A–Z a–z 0–9 + /~33%Email, data URIs, Basic auth headers
Base64 (URL-safe)A–Z a–z 0–9 - _~33%JWTs, OAuth, query strings, filenames
Hex (Base16)0–9 A–F100%Hashes, colours, memory dumps

This tool handles the Unicode trap that breaks many encoders: before calling the browser's native encoder it converts your text to UTF-8 bytes, so emoji and non-Latin scripts decode back to exactly what you typed. Pick the URL-safe variant when the result must travel inside a URL, cookie or filename, where a stray + or / would otherwise need escaping.

Privacy note: encoding and decoding happen entirely in your browser via the built-in btoa and atob functions. Nothing you paste — tokens, auth headers, personal data — is ever transmitted, logged or stored. Close the tab and it is gone.

Frequently asked questions

Is Base64 a form of encryption?

No. Base64 is an encoding, not encryption. Anyone can reverse it instantly with no key — including this tool. It makes binary data safe to carry through text-only channels, but it provides zero confidentiality. Never use it to "hide" passwords or secrets; only TLS/HTTPS or real encryption can do that.

Why does my decoded text come out as garbage?

Usually the input was not valid Base64, or it was URL-safe Base64 fed into the standard decoder (or vice versa). Standard Base64 uses + and /, while URL-safe Base64 swaps those for - and _. Switch the variant toggle to match how the string was produced, and make sure no stray characters or line breaks were pasted in.

Does this tool handle emoji and other Unicode characters?

Yes. Many naive Base64 encoders choke on anything outside Latin-1. This one first converts your text to UTF-8 byte by byte before encoding, so accented letters, emoji and non-Latin scripts round-trip back to exactly what you typed.

What is URL-safe Base64 and when do I need it?

The + and / characters in standard Base64 have special meaning inside URLs and filenames. URL-safe Base64 replaces + with - and / with _ (and often drops the = padding) so the value can be dropped into a query string, path or cookie without escaping. JWTs and many OAuth flows use this variant.

Why does the encoded output get longer than my input?

Base64 represents every 3 bytes of input with 4 output characters, so the result is roughly 33% larger. That overhead is the price of staying inside a 64-character text-safe alphabet — a worthwhile trade when the alternative is corruption in a channel that only understands text.

Is my text sent anywhere?

No. Encoding and decoding both run entirely in your browser using the built-in btoa/atob functions. Nothing you type is uploaded, logged or stored, so it is safe to paste tokens, headers or other sensitive strings.

Related tools

Password generator

Strong passwords & memorable passphrases via WebCrypto.

JSON formatter

Format, validate and beautify JSON, with error messages.

UUID generator

Generate bulk RFC 4122 v4 UUIDs using secure randomness.