Skip to content

Tools

Base64 & URL Encoder

Encode and decode Base64 and percent-encoded URLs as you type — UTF-8 safe, with exact error positions and a hex preview when the payload turns out to be binary. Runs entirely in your browser.

Alphabet:

Result

Found a bug or a rough edge? Tell me — reports get fixed fast.

What is this tool?

A free Base64 and URL (percent-encoding) encoder/decoder. Type or paste on one side and the result appears live on the other, in either direction. It is fully UTF-8 safe — emoji, accents and any other Unicode round-trip correctly, where naive tools built on the browser's btoa throw a "character out of range" error. Invalid input doesn't just fail: the exact offending character is pointed out with a caret, the way a compiler would.

Your text never leaves the browser. There is no server: encoding and decoding run client-side, and the only thing stored is your last input and settings, in your own browser's local storage, so they're still there when you come back.

How to use it

  • Pick Base64 or URL up top, then Encode or Decode.
  • For Base64, choose the Standard alphabet (+/, padded) or the URL-safe one (-_, unpadded) — decoding auto-detects either.
  • For URLs, choose Component to escape everything that isn't safe inside a single query value, or Whole URL to keep structural characters like / ? & = intact.
  • Hit ⇄ Use as input to move the result back into the input and flip direction — an instant round-trip check.
  • Decoding Base64 that isn't text? You get a hex dump preview instead of mojibake.

What is Base64, actually?

Base64 re-writes arbitrary bytes using 64 harmless ASCII characters (A–Z a–z 0–9 + /), three bytes at a time becoming four characters. That's the whole trick: it lets binary data travel through channels designed for text — JSON strings, email bodies, HTTP headers, data: URIs, JWTs. Two things follow from the arithmetic:

  • It grows data by ~33%. Every 3 bytes become 4 characters, plus up to two = padding characters to round the last group out. Base64 is an envelope, not a compressor.
  • It is not encryption. Base64 has no key and hides nothing — anyone can decode it (you're on a page that does). Never treat an encoded secret as a protected one.

Standard vs URL-safe Base64

Two of the standard alphabet's characters are troublesome inside URLs and filenames: + (means "space" in form data) and / (a path separator). RFC 4648's URL-safe variant swaps them, and by convention drops the = padding too, since = would itself need escaping:

StandardURL-safe
Character 62+-
Character 63/_
Padding=usually omitted
Seen inMIME, data: URIs, HTTP Basic authJWTs, URL tokens, cookies

If a JWT segment fails to decode elsewhere, this is almost always why — it's URL-safe Base64. This tool's decoder accepts both alphabets, with or without padding, and ignores stray whitespace and line breaks (MIME wraps encoded lines at 76 characters).

Percent-encoding: component or whole URL?

URL encoding (RFC 3986) replaces each unsafe byte with% plus two hex digits — a space becomes%20, é becomes %C3%A9 (its two UTF-8 bytes). The crucial choice is scope, and it maps directly to JavaScript's two functions:

  • Component (encodeURIComponent) — for one value going into a URL: a query parameter, a path segment, a redirect target. Escapes everything with special meaning, including & = ? / : #. This is the one you want 95% of the time.
  • Whole URL (encodeURI) — for a complete URL that must keep working as a URL: separators like/ ? & = : # stay untouched and only genuinely illegal characters (spaces, Unicode) are escaped. Encoding avalue this way is a classic bug: an &inside it will silently split your parameter in two.

The Decode + as space switch handles form data:application/x-www-form-urlencoded (the format of classic form submissions and most query strings) encodes spaces as+. A real plus sign is %2B, which this tool decodes correctly either way.

Gotchas worth knowing

  • Unicode needs a byte encoding first. Base64 encodes bytes, so text must be turned into bytes before encoding — this tool uses UTF-8, today's universal choice. If a decode elsewhere produces é instead ofé, two sides disagreed on that byte encoding.
  • btoa("👋") throws. The browser built-in predates modern JavaScript strings and only accepts Latin-1. The standard workaround is exactly what this tool does internally: TextEncoder first, then Base64 over the bytes.
  • Double-encoding is the classic URL bug. Encode twice and %20 becomes %2520 (the% itself gets escaped). If a decoded result still contains %25, it was encoded one time too many — decode again to unwrap each layer.
  • Not all Base64 is text. Images, keys and compressed blobs are Base64'd all the time. When decoded bytes aren't valid UTF-8, this tool shows an offset + hex + ASCII dump instead of garbage — the first bytes usually identify the format (89 50 4e 47 is a PNG, 25 50 44 46 a PDF, 1f 8b gzip).

FAQ

Is it free? Yes — free, no sign-up, no limits.

Is my data uploaded anywhere? No. Both codecs run in your browser; the page works the same if you go offline after loading it. That makes it safe for tokens, credentials and API payloads you'd rather not paste into a random website.

Can it decode JWTs? It decodes any JWT segment (they're URL-safe Base64) — split the token on the dots and paste a piece. A dedicated JWT decoder is on this site's roadmap.

Which specs does it follow? RFC 4648 for Base64 (standard and URL-safe alphabets, liberal in what it accepts: whitespace and missing padding are fine, real errors are not) and RFC 3986 percent-encoding via the browser's ownencodeURIComponent/encodeURI, plus the HTML form + convention as an option.

Built from scratch for this site in vanilla TypeScript — a pure, unit-tested codec core with hand-written Base64 over raw bytes, exact error positions, and zero runtime dependencies.