Base64 Decoder

Decode Base64 encoded strings back to plain text. Supports standard and URL-safe Base64.

Base64 Input

Decoded Output

Hello, World!

Input Length

20

Output Length

13

About Base64: Base64 is an encoding scheme that converts binary data to ASCII text. It's commonly used for embedding data in URLs, emails, and web pages.

What Is Base64 and Why Is It Used?

Base64 is a binary-to-text encoding scheme that represents arbitrary binary data using a set of 64 printable ASCII characters: the 26 uppercase letters A–Z, the 26 lowercase letters a–z, the digits 0–9, and the two symbols + and / (with = used as a padding character). The name "Base64" comes directly from the 64-character alphabet the scheme uses.

The fundamental problem Base64 solves is transport safety. Many communication channels — email protocols like SMTP, HTTP headers, URLs, and XML/JSON documents — were originally designed to carry only 7-bit ASCII text. Binary data such as images, cryptographic keys, or compressed files cannot pass through these channels without corruption. Base64 converts any binary payload into a stream of safe ASCII characters that survives transport unchanged, regardless of the underlying protocol or system.

You will encounter Base64 in a remarkable range of everyday technology. Email attachments are Base64-encoded inside MIME messages. Images embedded in HTML or CSS use Base64 data URIs (data:image/png;base64,...). JSON Web Tokens (JWTs) store their header and payload as Base64url-encoded strings. API credentials are frequently sent as Base64-encoded username:password pairs in HTTP Basic Authentication headers. TLS/SSL certificates stored in PEM format are Base64-encoded DER binary. Even many database BLOBs are stored as Base64 for compatibility.

Our Base64 decoder calculator reverses the encoding process: you paste any Base64 string and instantly receive the original plain text. The tool supports both standard Base64 (using + and /) and the URL-safe variant (using - and _), which is essential for decoding JWTs, OAuth tokens, and anything embedded in a URL where + and / carry special meaning. The input and output length counters update in real time, so you can immediately see the compression ratio between the encoded and decoded forms.

How Base64 Decoding Works

Base64 encoding works by grouping every three bytes of input (24 bits) into four 6-bit chunks, then mapping each 6-bit value to one of the 64 printable characters in the Base64 alphabet. Decoding simply reverses this: every four Base64 characters are looked up in the alphabet to recover six bits each, yielding 24 bits (three bytes) of original data. This 4:3 character-to-byte ratio means a Base64-encoded string is always approximately 33 percent longer than the original binary data.

When the original data's byte count is not a multiple of three, one or two = padding characters are appended to the encoded string to keep its length a multiple of four. One = means the last group encoded only one byte; two == means it encoded two bytes. The padding is stripped and the correct number of output bytes is inferred during decoding.

This calculator uses the browser's built-in atob() function, which implements the standard Base64 decoding algorithm directly. To correctly handle text that contains multibyte characters (such as accented letters or emoji encoded in UTF-8), the tool additionally wraps the result in decodeURIComponent(escape(...)). This two-step process converts the raw byte string returned by atob() into a proper JavaScript Unicode string, so that encoded UTF-8 text is displayed correctly rather than as garbled bytes.

When the URL-safe checkbox is checked, a preprocessing step runs before decoding: every - in the input is replaced with +, and every _ is replaced with /, restoring the standard Base64 alphabet. The string is then padded with = characters until its length is a multiple of four, because URL-safe Base64 (used in JWTs and OAuth) typically omits padding. After these substitutions, the standard decoding pipeline runs as normal.

Base64 Decoding Algorithm

Step 1 (URL-safe only): input = input.replace(/-/g, "+").replace(/_/g, "/"); while (input.length % 4) input += "=" Step 2: decoded = decodeURIComponent(escape(atob(input)))

Where:

  • atob(input)= Browser built-in that decodes a standard Base64 string to a raw binary (Latin-1) string, one character per byte
  • escape(binaryString)= Percent-encodes each byte of the binary string so that multibyte UTF-8 sequences become percent-encoded triplets (e.g., %C3%A9 for é)
  • decodeURIComponent(...)= Converts the percent-encoded byte sequences back into proper Unicode characters, correctly reconstructing the original UTF-8 text
  • replace(/-/g, "+")= URL-safe preprocessing: substitutes the URL-safe minus character with the standard Base64 plus character
  • replace(/_/g, "/")= URL-safe preprocessing: substitutes the URL-safe underscore with the standard Base64 slash
  • input.length % 4= The number of missing padding characters; "=" is appended until this expression equals zero, restoring the required block alignment

Standard Base64 vs. URL-safe Base64

The original Base64 specification (RFC 4648 §4) uses a 64-character alphabet that includes the + and / symbols. These two characters have reserved meanings in URLs — + represents a space in query strings, and / is a path separator — so embedding standard Base64 in a URL requires additional percent-encoding, producing strings like SGVsbG8%2C%20V29ybGQ%3D that are long, unreadable, and error-prone.

The URL-safe (or "Base64url") variant defined in RFC 4648 §5 replaces + with - and / with _, producing strings that can be embedded in URLs and filenames without any percent-encoding. Padding = characters are also commonly omitted in URL-safe contexts because they can be ambiguous in query strings.

The most widespread use of URL-safe Base64 today is in JSON Web Tokens (JWTs). A JWT consists of three URL-safe Base64url-encoded sections separated by dots: header.payload.signature. To inspect a JWT's header or payload — for example, to check its expiry time or the user's claims — you paste one section (without the dots) into this decoder and check the URL-safe checkbox. The tool handles both the character substitution and the missing padding automatically.

Other common URL-safe Base64 contexts include OAuth 2.0 tokens, PKCE code challenges, API key generation, and base64url-encoded file names in cloud storage systems. Whenever you see a Base64-looking string containing - or _ instead of + or /, you are looking at URL-safe Base64 and should enable that checkbox before decoding.

Feature Standard Base64 URL-safe Base64url
Characters 62 & 63 + and / - and _
Padding Always uses = to fill to multiple of 4 Often omits = padding
Safe in URLs? No — requires percent-encoding Yes — no escaping needed
Common uses Email (MIME), data URIs, PEM certs JWT, OAuth tokens, PKCE
RFC reference RFC 4648 §4 RFC 4648 §5

When and Why You Need a Base64 Decoder

A Base64 decoder is an indispensable utility for developers, security professionals, and anyone who works with APIs, tokens, or encoded data. Here are the most common real-world scenarios where this tool saves time.

Inspecting JWT Tokens

JWTs are the most common authentication token format in modern web APIs. Each JWT contains a Base64url-encoded header and payload. Decoding the payload lets you read the user's identity claims, expiry timestamp (exp), issuing authority (iss), and any custom attributes — without needing a private key. Paste the section between the first and second dots into this decoder with URL-safe mode enabled to instantly inspect any JWT payload.

Debugging API Responses

REST and GraphQL APIs occasionally return fields as Base64-encoded strings — cursor-based pagination cursors, opaque IDs, or binary attachments. Decoding these values reveals the underlying structure (often JSON or a colon-separated composite key), which is invaluable when troubleshooting unexpected API behavior.

Reading Email Attachments and MIME Parts

Email messages that contain attachments encode them in Base64 within MIME multipart bodies. If you are building or debugging an email parser, or if you receive raw SMTP traffic in a log file, a Base64 decoder lets you recover the original attachment content from the encoded block.

Working with Data URIs

HTML and CSS support inline resources via data URIs: data:image/png;base64,iVBORw0KGgo.... Decoding the Base64 portion of a data URI lets you extract the embedded image or font file, inspect its contents, or convert it back to a standalone file.

Security Analysis and CTF Challenges

Capture-the-flag competitions frequently hide flags inside Base64-encoded strings, sometimes with multiple layers of encoding. Security analysts also use Base64 decoders when inspecting obfuscated malware payloads, encoded PowerShell commands (-EncodedCommand), or phishing kit source code where strings are Base64-encoded to evade signature detection.

Verifying Cryptographic Data

Public keys, certificate signing requests (CSRs), and digital signatures are often transmitted as PEM-format Base64. Decoding the body of a PEM block (the lines between the -----BEGIN... headers) produces the raw DER binary, which can then be parsed by cryptographic tools. This calculator handles the text decoding step quickly so you can focus on the cryptographic analysis.

Understanding Input and Output Length Ratios

This decoder displays two real-time counters: Input Length (the number of characters in the Base64 string you entered) and Output Length (the number of characters in the decoded text). Understanding the relationship between these numbers helps you verify that a decode was successful and understand why Base64 adds overhead to data size.

Every 4 characters of Base64 encode exactly 3 bytes of original data. This gives a constant expansion factor of 4/3 ≈ 1.333 — meaning a Base64 string is always about 33 percent larger than the binary data it encodes. Equivalently, the decoded output should always be approximately 75 percent of the input length (ignoring padding characters).

For plain ASCII text, the byte count equals the character count, so the output character counter matches the decoded byte count exactly. The formula is: Output bytes = ⌊(Input length × 3) / 4⌋ when the input is correctly padded. If the input length is not a multiple of 4 and you are not using URL-safe mode (which adds padding automatically), decoding will fail with an "Invalid Base64 input" error — a reliable diagnostic that tells you the string is truncated or corrupted.

For multibyte UTF-8 text such as accented European characters, Arabic script, or CJK characters, the output character count will be less than the byte count, because each character may occupy 2, 3, or 4 bytes in UTF-8. The output length counter shows the number of JavaScript string characters (Unicode code points in the BMP), not raw bytes. Keep this distinction in mind when decoding binary data vs. human-readable text.

A quick sanity check: if your input is 1000 characters long (without padding), the decoded output should be approximately 750 characters for plain ASCII text. If the output is dramatically shorter or the tool shows an error, the input is likely not valid Base64 — perhaps it is URL-encoded, hex-encoded, or has been corrupted during copy-paste.

Worked Examples

Decode the Default Example: "Hello, World!"

Problem:

Decode the Base64 string "SGVsbG8sIFdvcmxkIQ==" (the page's default) to plain text.

Solution Steps:

  1. 1Input: "SGVsbG8sIFdvcmxkIQ==" — standard Base64 with "==" padding (URL-safe checkbox: unchecked)
  2. 2Pass directly to atob(): atob("SGVsbG8sIFdvcmxkIQ==") returns the raw byte string for "Hello, World!"
  3. 3Apply decodeURIComponent(escape(...)) to handle UTF-8 encoding: result is a valid JavaScript string
  4. 4Input length = 20 characters; Output length = 13 characters (13 ÷ 20 × 4/3 ≈ 1.0, confirming valid Base64)

Result:

"Hello, World!" — 13 characters decoded from 20 Base64 characters, consistent with the 4:3 expansion ratio.

Decode a Short String: "test"

Problem:

Verify that the Base64 string "dGVzdA==" decodes correctly to the word "test".

Solution Steps:

  1. 1Input: "dGVzdA==" — 8 characters including "==" padding (URL-safe checkbox: unchecked)
  2. 2Group 1 (dGVz): d=29, G=6, V=21, z=51 → bits 011101 000110 010101 110011 → bytes 0x74 0x65 0x73 = "tes"
  3. 3Group 2 (dA==): d=29, A=0, with two padding bytes → bits 011101 000000 → first byte 0x74 = "t"
  4. 4Concatenate: "tes" + "t" = "test"; apply decodeURIComponent(escape()) → "test"

Result:

"test" — 4 characters decoded from 8 Base64 characters (including 2 padding "=" signs).

URL-safe Mode: Decode Unpadded Base64

Problem:

Decode "dGVzdA" — the same data as "dGVzdA==" but with padding stripped, using URL-safe mode.

Solution Steps:

  1. 1Input: "dGVzdA" — 6 characters, no "=" padding; check the "URL-safe Base64" checkbox
  2. 2Step 1 — character substitution: no "-" or "_" present, so the string stays "dGVzdA"
  3. 3Step 2 — padding: length is 6; 6 % 4 = 2, so append "==" to get "dGVzdA=="
  4. 4Step 3 — decode: atob("dGVzdA==") → raw bytes "test"; decodeURIComponent(escape(...)) → "test"

Result:

"test" — identical output to the padded version. URL-safe mode automatically restores missing padding.

Inspect a JWT Header

Problem:

Decode the Base64url-encoded JWT header "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" to read its JSON content.

Solution Steps:

  1. 1Input: "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" — check the "URL-safe Base64" checkbox
  2. 2Length is 36 characters; 36 % 4 = 0, so no padding is added
  3. 3No "-" or "_" characters present, so no character substitution is needed
  4. 4atob() decodes the string; decodeURIComponent(escape()) converts to: {"alg":"HS256","typ":"JWT"}

Result:

{"alg":"HS256","typ":"JWT"} — the JWT header reveals the signing algorithm (HMAC-SHA256) and token type.

Tips & Best Practices

  • If the decoder shows an error, check whether your input contains spaces or line breaks; remove them and try again.
  • JWT tokens have three Base64url-encoded sections separated by dots — decode only one section at a time (header, payload, or signature), not the full token string.
  • Standard Base64 strings use only A–Z, a–z, 0–9, +, /, and = — if you see - or _ in your string, enable the URL-safe checkbox before decoding.
  • The output-to-input character ratio should be about 0.75 (75%) for valid ASCII text; a dramatically shorter output often means the string was truncated.
  • PEM-format certificates and keys have header/footer lines (-----BEGIN...-----); strip those lines and paste only the Base64 body into the decoder.
  • Base64 provides zero security — never rely on it to hide sensitive data; always use proper encryption for confidential content.
  • If you need to decode the same Base64 string repeatedly (e.g., across API calls), note the decoded value rather than re-decoding each time to save steps.
  • Use the companion Base64 Encoder tool to verify round-trips: encode text to Base64, then decode it here to confirm you get the original string back.

Frequently Asked Questions

This error appears when the input string contains characters not in the Base64 alphabet, has a length that is not a multiple of four (and URL-safe mode is off), or has corrupt padding. Common causes include accidentally copying extra whitespace, line breaks, or MIME boundary markers along with the encoded data. Try trimming whitespace from both ends of the string, removing any line breaks, and ensuring you copied the complete encoded block.
Enable URL-safe mode whenever your input contains <strong>-</strong> (hyphen) or <strong>_</strong> (underscore) characters where you would normally expect <strong>+</strong> or <strong>/</strong>, or when the string has no <strong>=</strong> padding. The most common sources of URL-safe Base64 are JSON Web Tokens (JWTs), OAuth 2.0 access and refresh tokens, PKCE code verifiers, Google and Amazon API tokens, and any encoded data embedded directly in a URL query string or path segment.
No — Base64 is an encoding scheme, not an encryption algorithm. It provides no confidentiality whatsoever: anyone with a Base64 decoder (including this one) can recover the original data instantly without any key or password. Base64 simply transforms binary data into printable ASCII text for safe transport through text-only channels. If you need to protect data, use proper encryption (AES, RSA, or a modern authenticated encryption scheme) before or after encoding.
Base64 maps every 3 bytes (24 bits) of input to 4 printable characters (each representing 6 bits). The ratio 4/3 ≈ 1.333 means the output is always one-third larger than the input. The padding character <strong>=</strong> ensures the total length is always a multiple of four. This size increase is the price of safe transport: you trade bandwidth for universal compatibility with text-only protocols.
Yes. The calculator uses <code>decodeURIComponent(escape(atob(input)))</code> specifically to handle UTF-8 encoded strings correctly. The <code>atob()</code> function decodes Base64 to raw bytes, and the <code>escape/decodeURIComponent</code> wrapper converts those bytes from their UTF-8 byte sequence back into proper JavaScript Unicode characters. This means you can decode Base64-encoded text in any language that uses UTF-8 — French accents, German umlauts, Japanese kanji, Arabic script, and most emoji.
Encoding converts plain text or binary data into a Base64 string (e.g., "Hello" → "SGVsbG8="). Decoding reverses the process: a Base64 string is converted back to the original data (e.g., "SGVsbG8=" → "Hello"). This tool performs decoding. If you need to encode text as Base64, use our companion Base64 Encoder tool at /tools/base64-encoder.
Padding with <strong>=</strong> ensures the total Base64 string length is always a multiple of four characters, which makes block-aligned parsing straightforward. One <strong>=</strong> means the last group of input contained exactly one byte (two Base64 characters encode 12 bits, of which only 8 carry data). Two <strong>==</strong> means the last group contained exactly two bytes. If the original data's length happens to be a multiple of three, no padding is needed at all. URL-safe Base64 often omits padding, which the URL-safe checkbox handles by re-adding it before decoding.

Sources & References

Last updated: 2026-06-05

💡

Help us improve!

How would you rate the Base64 Decoder?

<>

Editorial Note

MyCalcBuddy Editorial Team

This page is maintained as an educational calculator reference.

Source

Formula Source: Standard Mathematical References

by Various

UpdatedLast reviewed: May 2026
CheckedFormula checks are based on standard references and internal QA review.