Base64 Decoder

How to decode Base64 to plain text

1. Paste the Base64-encoded string into the input field — a JWT payload, HTTP auth header, data URI content, or any Base64 string.
2. Click "Convert" — the decoded plain text output appears instantly.
3. Switch to "Encode" using the toggle above if you need to encode text to Base64.
4. Click "Copy" to copy the decoded text, or "Download .txt" to save the file.
5. Inspect the decoded content — API keys, JWT claims, config values, or any text that was encoded for safe transmission.

How Base64 decoding works

Base64 decoding reverses the encoding: the input string of Base64 characters is read 4 characters at a time, each group is mapped back to three bytes using the 6-bit values from the Base64 alphabet, and the resulting byte sequence is interpreted as UTF-8 text. This converter uses the browser's TextDecoder API to correctly handle the full Unicode range — including multibyte characters like emoji, CJK, and accented letters. No data leaves your machine — the conversion runs entirely in your browser.

The decoder accepts both standard Base64 (using + and /) and Base64URL (using - and _). It handles optional = padding and strips leading/trailing whitespace automatically, making it practical for decoding strings copied from JWT tokens, HTTP headers, and logs where extra whitespace is common.

// The converter uses TextDecoder for proper Unicode support:
function base64Decode(encoded) {
  const normalized = encoded.trim()
    .replace(/-/g, '+').replace(/_/g, '/')  // Base64URL → standard
  const binary = atob(normalized)
  const bytes  = Uint8Array.from(binary, c => c.charCodeAt(0))
  return new TextDecoder().decode(bytes)    // UTF-8 bytes → Unicode string
}

base64Decode('SGVsbG8sIFdvcmxkIQ==')   // → 'Hello, World!'
base64Decode('eyJuYW1lIjoiQWxpY2UifQ') // → '{"name":"Alice"}' (JWT payload)
base64Decode('SGVsbG8g8J+MjQ==')        // → 'Hello 🌍'

Common Base64 data you might decode

Base64-encoded strings appear in many places in web development and system administration. Knowing the source helps you understand what to expect from the decoded output.

• JWT tokens — JSON Web Tokens have three Base64URL sections separated by dots. Decoding the second section (payload) reveals the claims: user ID, expiration time, roles, and other metadata. The third section (signature) is binary and will produce unreadable output.
• HTTP Basic Auth — the Authorization: Basic ... header contains Base64(username:password). Decoding it reveals the credentials in plaintext, which is why HTTPS is required for Basic Auth.
• Data URIs — data:image/png;base64,... or data:application/json;base64,... strings can be decoded to reveal embedded file content or JSON payloads.
• API keys in config files — some platforms store API keys, certificates, or secrets as Base64 in environment variables or YAML config files.
• Email MIME headers — encoded subject lines and attachment filenames use Base64: =?UTF-8?B?...?=
• Debug logs — some systems log payloads as Base64 to avoid special character issues in log files.

Base64 variants: standard, URL-safe, and MIME

There are several Base64 variants that differ in their alphabet and line handling. This converter handles the two most common variants automatically:

The decoder automatically normalizes Base64URL input (- → +, _ → /) before decoding, so you can paste JWT payload sections or URL parameters directly without manually converting them to standard Base64 first.

When Base64 decoding fails and why

Common reasons decoding fails:

• Invalid characters — standard Base64 only uses A–Z, a–z, 0–9, +, /, and =. Characters like spaces, commas, or line breaks outside the alphabet cause a decode error. Strip or clean extra characters first.
• Incorrect length — Base64 strings must have a length that is a multiple of 4 (with padding). Missing = characters cause a length error. Try adding one or two = at the end.
• URL-encoded characters — Base64 strings in URLs may have + replaced with %2B and = replaced with %3D. URL-decode the string first before pasting.
• Partial strings — copying only part of a Base64 string (from a truncated log line) produces invalid input. Make sure the complete encoded string is pasted.
• Non-UTF-8 binary output — if the decoded bytes are binary file data rather than UTF-8 text, the output will appear garbled. This decoder is designed for text input and output.

// A JWT has three dot-separated sections:
// header.payload.signature

// To inspect claims, copy only the second section:
// eyJzdWIiOiIxMjM0IiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNjE2MjM5MDIyfQ

// Decoded output:
// {"sub":"1234","name":"Alice","iat":1616239022}

// ⚠️ The third section (signature) is cryptographic binary.
// Decoding it produces unreadable characters — this is expected.
// Only decode the header (first section) and payload (second section).

Security: what Base64 decoding reveals

Base64 encoding provides no security — it is a public, standardized encoding with no key. Anything encoded in Base64 can be decoded by anyone instantly. This has important implications for web security:

• JWT payloads are public — the header and payload of a JWT are Base64URL-encoded with no encryption. Anyone with the token can decode the payload and read all claims. The signature verifies authenticity but does not hide the content.
• HTTP Basic Auth is plaintext exposure — the Authorization: Basic header transmits username and password Base64-encoded, which is equivalent to plaintext. Always use HTTPS with Basic Auth; without TLS, credentials are trivially extractable.
• "Obfuscated" configs are not secure — storing secrets as Base64 in source code or config files does not protect them. Use a proper secrets manager (Vault, AWS Secrets Manager, GitHub Secrets) for sensitive values.
• Data URIs can contain executable content — data:text/html;base64,... and data:application/javascript;base64,... can embed HTML or JavaScript. Modern browsers restrict these in certain contexts as a security measure.