{ }jsonkit
Tools/Convert/Base64 Encode / Decode
Search tools…⌘K
Format
{ }JSON Formatter
≡→JSON Minifier
\"JSON Escape / Unescape
a→zJSON Sorter
⇄{}JSON Flattener
Validate
JSON Validator
±JSON Diff / Compare
§JSON Schema Generator
JWT Decoder
ΔJSON Patch / Merge Patch
kbJSON Size Analyzer
Convert
→csvJSON to CSV
csv→CSV to JSON
⇄ymlJSON ⇄ YAML
⇄xmlJSON ⇄ XML
→tsJSON to TypeScript
b64Base64 Encode / Decode
%2FURL Encode / Decode
clkTimestamp Converter
→zJSON to Zod
→pyJSON to Pydantic
→goJSON to Go
→javaJSON to Java
⇄jsonlJSON ⇄ JSONL
5→JSON5 / JSONC to JSON
Query
$.JSONPath / JQ Tester
.*Regex Tester
Generate
Mock JSON Data Generator
idUUID / NanoID Generator
#Hash Generator
b64

Base64 Encode / Decode

UTF-8 safe, with a url-safe variant — fully local.
processes as you type · client-side
Sample
Upload
⇄ Encode
URL-safe
⧉ Copy output ⌘C
Download
Share
Clear
Text160 B · paste or drop a file
1
Base64
1
eyJpZCI6InVzcl84eDQyIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImVtYWlsIjoiYWRhQGV4YW1wbGUuY29tIiwiYWN0aXZlIjp0cnVlLCJyb2xlcyI6WyJhZG1pbiIsImVkaXRvciJdLCJwbGFuIjp7InRpZXIiOiJwcm8iLCJzZWF0cyI6NSwicmVuZXdzIjoiMjAyNi0wOC0wMSJ9fQ==
✓ valid (RFC 8259)160 B → 216 B0.0 msLn 1, Col 1UTF-8

About Base64 Encode / Decode

The Base64 encoder and decoder converts text to Base64 and back. Base64 represents any data using only 64 safe ASCII characters, which is why it shows up everywhere binary or arbitrary text has to travel through text-only channels: JWT segments, data URIs, HTTP basic auth headers, email attachments and API payloads.

Both directions run entirely in your browser — the text or token you paste is never uploaded — so decoding a credential-bearing string or encoding a secret config is private by default. Free, no signup, no size gate.

It is UTF-8 safe: emoji, accented characters and non-Latin scripts encode and decode correctly, which many quick-and-dirty Base64 tools get wrong. A url-safe toggle produces the - and _ variant used in JWTs and URL parameters.

How it works

How Base64 encoding works

Base64 takes the input bytes three at a time and re-expresses each 24-bit group as four characters from a 64-symbol alphabet (A-Z, a-z, 0-9, + and /). When the input length is not a multiple of three, = padding fills the final group. The output is about 33% larger than the input — that is the cost of using only safe printable characters.

UTF-8 safety

Text is first encoded to UTF-8 bytes, then those bytes are Base64-encoded. This matters for anything beyond plain ASCII: emoji, accents and non-Latin scripts round-trip correctly, where naive implementations that skip the UTF-8 step throw errors or corrupt characters.

URL-safe Base64

Standard Base64 uses + and /, which clash with URL syntax. The url-safe variant (RFC 4648 §5) substitutes - and _ and drops the = padding. JWTs, URL parameters and many API tokens use this form — the URL-safe toggle produces it, and decode mode accepts both variants automatically.

Decoding validation

Decode mode strips whitespace, accepts both standard and url-safe alphabets, restores missing padding, and reports a clear error when the input contains invalid characters or the decoded bytes are not valid UTF-8 text — instead of printing garbage.

Frequently asked questions

Is Base64 encryption?

No. Base64 is an encoding, not encryption — anyone can decode it instantly, with no key involved. Never treat Base64 as a way to protect secrets; it only makes data safe to transport through text-only channels.

Why is my Base64 output longer than the input?

Base64 represents every 3 bytes of input as 4 characters of output, so encoded data is roughly 33% larger. That overhead is inherent to the format.

What is url-safe Base64 and when do I need it?

It replaces + with -, / with _ and drops = padding so the string can sit in a URL or filename without escaping. JWT header and payload segments use it — enable the URL-safe toggle to produce it. Decoding accepts both variants automatically.

Can I decode a JWT with this tool?

You can decode an individual segment, since JWT parts are url-safe Base64. For the full experience — header, payload, signature and expiry check in one view — use the dedicated JWT decoder.

Is it safe to paste tokens or secrets here?

Encoding and decoding happen locally in your browser; nothing is uploaded or logged. As with any tool, treat pasted credentials with care, but nothing leaves your machine here.