What is the difference between Base64 and Base64url?

Standard Base64 uses the characters plus and slash and pads with the equals sign, which can break inside URLs and filenames. Base64url replaces plus with dash and slash with underscore and omits padding, so the result is safe to drop into a URL or JWT segment.

Why does encoding emoji work here but not with plain btoa?

The browser's btoa only accepts Latin-1 characters and throws on anything outside that range. This tool encodes through TextEncoder first, converting text to UTF-8 bytes, so emoji and all non-ASCII characters round-trip correctly.

What happens if I decode something that is not text?

If the decoded bytes are not valid UTF-8 — for example a compressed file or an image — the tool detects that the strict decode failed and shows the raw bytes as hexadecimal instead of garbled characters.

Can I decode a JWT with this tool?

A JWT is three Base64url segments joined by dots. Paste a single segment (the header or the payload) to decode it. The tool recognises the JWT pattern and reminds you to decode each segment separately.

Is anything I paste sent to a server?

No. All encoding and decoding happens in JavaScript in your browser, so you can safely process secrets, tokens, and private data without it ever leaving your device.

Base64 Encoder/Decoder with Binary Safety

Base64 turns arbitrary bytes into a text string using 64 printable characters, which lets binary data travel safely through systems that only handle text — email, JSON, data URIs, and JWTs. This tool encodes UTF-8 text or hex bytes into Base64 (or URL-safe Base64url) and decodes either variant back, all in your browser.

How it works

Base64 packs every 3 input bytes (24 bits) into 4 output characters (6 bits each):

Encoding text first converts the string to UTF-8 bytes with TextEncoder, so multi-byte characters such as emoji are preserved.
Each group of 3 bytes maps to 4 characters from the alphabet A-Z a-z 0-9 + /; leftover bytes are padded with =.
Base64url then rewrites + to -, / to _, and strips the = padding so the value is safe inside URLs.
Decoding reverses the process, normalising url-safe characters and restoring padding before rebuilding the bytes, then attempting a strict UTF-8 decode.

If a decode produces bytes that are not valid UTF-8, the tool shows hex rather than mojibake.

Tips and examples

Encoding the text Hi gives SGk=. Encoding the hex bytes 48 69 (which spell “Hi” in ASCII) gives the same SGk=, which is handy for inspecting binary protocol payloads.

When you paste a value shaped like xxxxx.yyyyy.zzzzz, the tool recognises a JWT and reminds you to decode the header and payload segments individually. PEM blocks and data: URIs are flagged too, so you know where the actual Base64 body lives.