Encode and decode Base64 and URL strings. Fast, secure, and works entirely in your browser.
Base64 and percent-encoding are two different answers to the same problem: how do you transmit arbitrary data over a channel that only understands a limited set of characters? This reference covers both — what they do, when to use each, and the common mistakes that trip developers up.
| Property | Base64 | URL encoding (%xx) |
|---|---|---|
| Character set | A-Z a-z 0-9 + / = |
Unreserved chars + %XX escapes |
| Size overhead | ~33% larger than input | Varies — only special chars expand |
| Reversible? | Yes — trivially | Yes — trivially |
| Secure? | No — not encryption | No — not encryption |
| Main use | Binary data in text contexts | Special chars in URLs |
| Where you'll see it | JWT tokens, data URIs, MIME email, HTTP Basic Auth | Query strings, form POST, OAuth params |
Base64 takes 3 bytes (24 bits) of input at a time and splits them into 4 groups of 6 bits. Each 6-bit group maps to one of 64 printable characters — that's where the name comes from. The result is always 4 output characters for every 3 input bytes, exactly 33% larger. If the input isn't divisible by 3, padding = characters fill the gap.
Example: the string Man (3 bytes) encodes to TWFu. The string Ma (2 bytes) encodes to TWE=. The string M (1 byte) encodes to TQ== — two padding characters.
⚠️ Base64 is not encryption. It is trivially reversible. Never use it to protect passwords, API keys, or sensitive data in client-side code.
+ with - and / with _, and drops the = padding. Strip padding and swap characters before decoding a JWT with a standard decoder.encodeURIComponent for individual parameter values (encodes & = ? /). Use encodeURI for a full URL (preserves structural characters). Mixing them breaks query strings.%7B%22key%22%3A, the input was URL-encoded before being Base64-encoded.# HTTP Basic Auth header
Authorization: Basic dXNlcjpwYXNzd29yZA==
# Data URI embedded in CSS
background-image: url('data:image/png;base64,iVBORw0KGgo...');
# JWT token (three Base64url sections separated by dots)
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
# URL-encoded query string
https://example.com/search?q=hello%20world&filter=date%3A2026No data is sent to any server. Your tokens, credentials, and encoded strings stay on your device.
Base64 encodes binary data into ASCII text for safe transmission over text-based protocols like email (MIME), HTTP headers, or embedded in JSON and XML. It is not encryption — it is a way to represent binary data as text.
No. Base64 is encoding, not encryption. Anyone can decode it instantly. Never use Base64 to hide sensitive data. Use proper encryption like AES if you need confidentiality.
Base64 maps every 3 bytes to 4 ASCII characters — approximately 33% larger. This overhead is the trade-off for making binary data text-safe.
Standard Base64 uses + and / which have special meaning in URLs. URL-safe Base64 replaces + with - and / with _ so it can be used in URLs and JWT tokens without breaking.
Yes. Encoding an image to Base64 lets you embed it as a data URI directly in CSS or HTML, eliminating an HTTP request. Best for small icons — not large photos.