Base64 — Free Online Tool on Toolpile
Every tool you need, one place
PDF, Image, AI, Dev, and Business tools — free, private, no signup.
Toolpile uses cookies for analytics and ads. The tools themselves keep your files in the browser — that doesn't change. Read the full policy
PDF, Image, AI, Dev, and Business tools — free, private, no signup.
About Base64
Base64 isn't encryption — it's a way of packing arbitrary bytes into 64 printable ASCII characters so they survive being passed through systems that only handle text. Email attachments, data URIs in HTML, JWT tokens, API keys in env files: all Base64. Here's exactly what it does, when to use it, and where it goes wrong.
Base64 takes binary data and rewrites it using 64 characters: A-Z, a-z, 0-9, plus `+` and `/`, with `=` used for padding. The encoder reads the input three bytes at a time (24 bits) and slices them into four 6-bit chunks; each chunk indexes into the alphabet, producing four output characters. If the input length isn't a multiple of three, it's padded with `=` to keep groups of four — that's why Base64 strings always end in 0, 1, or 2 equals signs.
The cost: Base64 inflates data by ~33% (every 3 bytes become 4 characters), plus padding overhead. A 1 MB image becomes ~1.37 MB Base64-encoded. That's the price of making bytes safely transmittable as text.
What Base64 is **not**: encryption, hashing, or compression. It's a fully reversible transform that anyone can decode in one line. Putting `Authorization: Basic ` headers through Base64 is encoding for transport, not security — the header travels under TLS for actual confidentiality. If you're seeing a Base64 string and assume it's hidden, you're wrong.
Use Base64 when the transport layer expects text: data URIs (`data:image/png;base64,iVBOR…`) for inlining small images in HTML/CSS without an extra HTTP request; embedded fonts in CSS; JWT payload sections; SMTP/MIME email attachments; Basic Auth headers (`Basic ` + Base64(`user:pass`)); webhook payloads that pass binary through JSON (which has no native binary type).
Don't use it for large files going over HTTP — gzip + binary upload beats Base64 every time because of the 33% inflation. Don't store images as Base64 in a database column unless you have a strict serialization constraint; binary BLOB columns are smaller and faster. Don't reach for Base64 to obscure data — it provides zero secrecy. Don't pass non-ASCII text to a `btoa()` call without UTF-8 encoding first; the browser will throw `InvalidCharacterError` (see the next section).
Browser `btoa()` and `atob()` are old (1995) and only handle Latin-1 byte values (0-255). Pass `🚀` or `日本語` directly and they throw. The fix this tool uses is the standard pattern: `btoa(unescape(encodeURIComponent(text)))` for encoding, and `decodeURIComponent(escape(atob(b64)))` for decoding. This round-trips through UTF-8 byte sequences correctly. Modern code in 2026 should use `TextEncoder`/`TextDecoder` directly, but the legacy pattern still works in every browser since 2010.
Padding: this tool produces strings that always end with the correct number of `=`. When decoding, missing padding is also accepted (some senders strip it; the decoder reconstructs the byte boundary). Whitespace inside the input is silently ignored, so multi-line Base64 (as in PEM keys) decodes correctly without manual cleanup.
URL-safe Base64 (RFC 4648 §5) replaces `+` with `-` and `/` with `_` and may drop the `=` padding. This tool uses standard Base64; if you need URL-safe (used by JWT, OAuth state params, signed cookies), do a final `.replace(/\+/g, '-').replace(/\//g, '_').replace(/=+$/, '')` on the output. URL-safe decoders accept the standard form too with the inverse swap.
Is Base64 encryption?
No. Base64 is encoding, not encryption — it's fully reversible by anyone with no key. If you Base64-encode a password and put it in your code, that password is effectively in plaintext. For confidentiality, use TLS in transit and a real cipher (AES-GCM) at rest.
Why does Base64 always make my file bigger?
Every 3 input bytes become 4 output characters — that's a fixed 33% inflation, plus 1-2 chars of padding. There's no way around it; the alphabet is 64 symbols (6 bits) and bytes are 8 bits, so you spread 24 bits over 4 chars instead of 3 bytes. If size matters and the transport allows binary, send the bytes raw (multipart/form-data, gzipped HTTP body) and skip Base64 entirely.
How do I encode a file as Base64?
This tool is text-mode only. To Base64 a file from the command line: `base64 file.png > file.b64` (macOS/Linux) or `[Convert]::ToBase64String([IO.File]::ReadAllBytes('file.png'))` (PowerShell). For images, use the Image to Base64 tool on this site — it builds a complete data URI you can paste into HTML/CSS.
What are the equals signs at the end?
Padding. Base64 outputs in groups of 4 characters; if the input wasn't a multiple of 3 bytes, 1 or 2 `=` characters fill the last group. They carry no data and just signal the boundary to the decoder. Some encoders (URL-safe Base64) drop them; tolerant decoders re-add them automatically.
Can I encode emoji or non-Latin text?
Yes — this tool handles UTF-8 transparently. The trick is encoding to UTF-8 bytes before passing to btoa() (and the inverse on decode). If you encode `日本語` here and decode it elsewhere with raw atob() you'll get garbled bytes; decode with the same UTF-8-aware pattern (or the `Buffer.from(b64, 'base64').toString('utf8')` Node equivalent) to round-trip correctly.
What's URL-safe Base64 and when do I need it?
URL-safe Base64 swaps `+`→`-` and `/`→`_` because plain `+` and `/` have meaning in URLs and are interpreted as space and path separator. Used by JWT, OAuth state, and any token passed in URL params. Standard Base64 is for everything else (data URIs, MIME, Basic Auth). If your decoder rejects a token, check whether you need to convert URL-safe → standard first.
Is anything I paste sent to a server?
No. Encode/decode runs locally via the browser's btoa/atob. There is no network request when you click Encode or Decode. You can verify in the browser DevTools Network tab — the only requests are the page itself loading.
Why does decoding sometimes succeed but produce garbage?
Three usual causes: (1) the Base64 was URL-safe and you decoded it as standard (or vice versa), (2) you copied a label prefix like 'base64,' or '-----BEGIN CERTIFICATE-----' along with the data, or (3) the original encoding wasn't UTF-8 (could be Latin-1, Windows-1252, etc.) and the decoder applied UTF-8 to bytes that aren't valid sequences. For non-UTF-8 binaries, treat the output as bytes, not as text.