Tools
Base64 & URL Encoder
Encode and decode Base64 and percent-encoded URLs as you type — UTF-8 safe, with exact error positions and a hex preview when the payload turns out to be binary. Runs entirely in your browser.
Result
More on this site: all tools ·JSON formatter ·regex checker ·diff checker ·the arcade
Found a bug or a rough edge? Tell me — reports get fixed fast.
What is this tool?
A free Base64 and URL (percent-encoding) encoder/decoder. Type or paste on one side and the result appears live on the other, in either direction. It is fully UTF-8 safe — emoji, accents and any other Unicode round-trip correctly, where naive tools built on the browser's btoa throw a "character out of range" error. Invalid input doesn't just fail: the exact offending character is pointed out with a caret, the way a compiler would.
Your text never leaves the browser. There is no server: encoding and decoding run client-side, and the only thing stored is your last input and settings, in your own browser's local storage, so they're still there when you come back.
How to use it
- Pick Base64 or URL up top, then Encode or Decode.
- For Base64, choose the Standard alphabet (
+/, padded) or the URL-safe one (-_, unpadded) — decoding auto-detects either. - For URLs, choose Component to escape everything that isn't safe inside a single query value, or Whole URL to keep structural characters like
/ ? & =intact. - Hit ⇄ Use as input to move the result back into the input and flip direction — an instant round-trip check.
- Decoding Base64 that isn't text? You get a hex dump preview instead of mojibake.
What is Base64, actually?
Base64 re-writes arbitrary bytes using 64 harmless ASCII characters (A–Z a–z 0–9 + /), three bytes at a time becoming four characters. That's the whole trick: it lets binary data travel through channels designed for text — JSON strings, email bodies, HTTP headers, data: URIs, JWTs. Two things follow from the arithmetic:
- It grows data by ~33%. Every 3 bytes become 4 characters, plus up to two
=padding characters to round the last group out. Base64 is an envelope, not a compressor. - It is not encryption. Base64 has no key and hides nothing — anyone can decode it (you're on a page that does). Never treat an encoded secret as a protected one.
Standard vs URL-safe Base64
Two of the standard alphabet's characters are troublesome inside URLs and filenames: + (means "space" in form data) and / (a path separator). RFC 4648's URL-safe variant swaps them, and by convention drops the = padding too, since = would itself need escaping:
| Standard | URL-safe | |
|---|---|---|
| Character 62 | + | - |
| Character 63 | / | _ |
| Padding | = | usually omitted |
| Seen in | MIME, data: URIs, HTTP Basic auth | JWTs, URL tokens, cookies |
If a JWT segment fails to decode elsewhere, this is almost always why — it's URL-safe Base64. This tool's decoder accepts both alphabets, with or without padding, and ignores stray whitespace and line breaks (MIME wraps encoded lines at 76 characters).
Percent-encoding: component or whole URL?
URL encoding (RFC 3986) replaces each unsafe byte with% plus two hex digits — a space becomes%20, é becomes %C3%A9 (its two UTF-8 bytes). The crucial choice is scope, and it maps directly to JavaScript's two functions:
- Component (
encodeURIComponent) — for one value going into a URL: a query parameter, a path segment, a redirect target. Escapes everything with special meaning, including& = ? / : #. This is the one you want 95% of the time. - Whole URL (
encodeURI) — for a complete URL that must keep working as a URL: separators like/ ? & = : #stay untouched and only genuinely illegal characters (spaces, Unicode) are escaped. Encoding avalue this way is a classic bug: an&inside it will silently split your parameter in two.
The Decode + as space switch handles form data:application/x-www-form-urlencoded (the format of classic form submissions and most query strings) encodes spaces as+. A real plus sign is %2B, which this tool decodes correctly either way.
Gotchas worth knowing
- Unicode needs a byte encoding first. Base64 encodes bytes, so text must be turned into bytes before encoding — this tool uses UTF-8, today's universal choice. If a decode elsewhere produces
éinstead ofé, two sides disagreed on that byte encoding. btoa("👋")throws. The browser built-in predates modern JavaScript strings and only accepts Latin-1. The standard workaround is exactly what this tool does internally:TextEncoderfirst, then Base64 over the bytes.- Double-encoding is the classic URL bug. Encode twice and
%20becomes%2520(the%itself gets escaped). If a decoded result still contains%25, it was encoded one time too many — decode again to unwrap each layer. - Not all Base64 is text. Images, keys and compressed blobs are Base64'd all the time. When decoded bytes aren't valid UTF-8, this tool shows an offset + hex + ASCII dump instead of garbage — the first bytes usually identify the format (
89 50 4e 47is a PNG,25 50 44 46a PDF,1f 8bgzip).
FAQ
Is it free? Yes — free, no sign-up, no limits.
Is my data uploaded anywhere? No. Both codecs run in your browser; the page works the same if you go offline after loading it. That makes it safe for tokens, credentials and API payloads you'd rather not paste into a random website.
Can it decode JWTs? It decodes any JWT segment (they're URL-safe Base64) — split the token on the dots and paste a piece. A dedicated JWT decoder is on this site's roadmap.
Which specs does it follow? RFC 4648 for Base64 (standard and URL-safe alphabets, liberal in what it accepts: whitespace and missing padding are fine, real errors are not) and RFC 3986 percent-encoding via the browser's ownencodeURIComponent/encodeURI, plus the HTML form + convention as an option.
Built from scratch for this site in vanilla TypeScript — a pure, unit-tested codec core with hand-written Base64 over raw bytes, exact error positions, and zero runtime dependencies.