Base64
Decoder
Decode Base64 strings to text or images instantly. Supports data URIs and plain Base64.
How It Works
Paste Base64
Paste a Base64 string or data URI into the input field.
Auto-Decode
The content is decoded live as you type. Images are previewed automatically.
Copy or Download
Copy the decoded text or download the decoded content.
Decode Base64 strings online back to plain text, JSON, or images, with automatic detection of data URIs. ConverterUp's Base64 decoder is useful for inspecting JWT payloads, debugging API responses, decoding email attachments, and extracting embedded images from CSS or HTML. Paste the encoded string, see the result instantly, and copy the text or download the decoded image. The decoding runs entirely in your browser, so sensitive tokens, customer payloads, and private images never get logged or transmitted to a remote server.
Where Base64 actually shows up
Data URIs embed images, fonts, and small files directly inside HTML or CSS as data:image/png;base64,iVBORw0KGgo…. Useful for icons under 4 KB that would otherwise cost an HTTP round-trip. Above 4 KB the encoding penalty (Base64 is 33 % larger than raw bytes) outweighs the round-trip savings, so use sprite sheets or HTTP/2 multiplexing instead.
HTTP Basic Auth sends credentials as Authorization: Basic <base64(user:password)>. This is encoding, not encryption — anyone with the header can decode the credentials in one step. Only safe over TLS. The decoder is the fastest way to inspect a curl -v dump and verify which user is being authenticated.
JWT tokens are three Base64URL segments separated by dots: header.payload.signature. The header and payload are JSON, the signature is binary. Base64URL replaces + with - and / with _ and drops padding. ConverterUp auto-detects this and parses JWTs correctly without manual padding adjustment.
Email attachments over SMTP use Base64 (specifically MIME Base64 with line breaks every 76 chars) because SMTP was designed for 7-bit ASCII text. Cryptographic keys and certificates in PEM format (-----BEGIN PRIVATE KEY-----) are Base64 wrapped around DER binary. SVG inlining, CSP nonces, OAuth state tokens, WebAuthn credential IDs — Base64 is everywhere in modern web infrastructure.
ToolSeo.base64-decode.section1.p5
Encoding vs decoding: direction matters
Encoding takes raw bytes (text, binary, image) and produces a Base64 ASCII string. The output is always 33 % larger than the input (3 input bytes → 4 output chars), padded with = to make the length a multiple of 4. Encoding is deterministic and lossless: encode then decode and you get the exact original bytes back.
Decoding reverses the process. Take 4 Base64 chars → produce 3 bytes. The input must be valid Base64 — invalid characters (anything outside A-Za-z0-9+/=) cause failures unless the decoder is lenient. ConverterUp's decoder is lenient by default: it strips whitespace, line breaks, and unknown characters before decoding, which matches how most production tools (Python's base64.b64decode, Node's Buffer.from) behave.
Text encoding inside Base64 is a separate concern. Base64 encodes bytes, not characters. If you Base64-encode the string café, the result depends on whether you encoded UTF-8 bytes (5 bytes → Y2Fmw6k=) or Latin-1 bytes (4 bytes → Y2Fm6Q==). On decode you must know the original encoding. ConverterUp tries UTF-8 first, falls back to Latin-1 on decode failure, and exposes a raw hex view for binary content.
The padding question: standard Base64 always pads to a multiple of 4 with =. Base64URL (used by JWT, OAuth, WebAuthn) often strips the padding because URLs hate =. The decoder reconstructs missing padding automatically — a string of length 22 needs 2 padding chars to reach 24. If your decoder is strict about padding, add the right number of = manually before passing it in.
ToolSeo.base64-decode.section2.p5
Common gotchas: URL-safe, padding, line breaks
URL-safe Base64 (Base64URL, RFC 4648 §5) replaces two characters: + → -, / → _. The padding char = is also typically dropped. Standard decoders reject URL-safe input; URL-safe decoders accept both. ConverterUp accepts both and produces standard Base64 on encode (toggle to Base64URL when you need it for a JWT or OAuth flow).
Padding errors are the #1 source of 'invalid Base64' bugs. A token of length 11 cannot decode — Base64 strings must be a multiple of 4. The fix is to append 1, 2, or 3 = until the length is a multiple of 4. Some tools silently accept unpadded input; some throw an error. If you see 'incorrect padding', add equals signs until the length divides by 4.
Line breaks in MIME Base64 (RFC 2045) come every 76 chars because old SMTP servers had line-length limits. Modern decoders strip line breaks before decoding, but some strict implementations do not. If you see decode errors on a Base64 blob from an email or PEM file, run a regex replace /\s/g first to collapse all whitespace, then decode.
Encoding does not encrypt. This is worth repeating because Base64 looks like ciphertext and even experienced developers occasionally treat it as obfuscation. Anyone with the Base64 string can recover the original bytes instantly. Never use Base64 to 'hide' API keys, passwords, or PII — it adds zero security. Use real encryption (AES-GCM, age, libsodium) for actual secrets, and treat Base64 purely as a binary-to-ASCII transport format.
ToolSeo.base64-decode.section3.p5
ToolSeo.base64-decode.section4.heading
ToolSeo.base64-decode.section4.p1
ToolSeo.base64-decode.section4.p2
ToolSeo.base64-decode.section4.p3
ToolSeo.base64-decode.section4.p4
ToolSeo.base64-decode.section4.p5
ToolSeo.base64-decode.section5.heading
ToolSeo.base64-decode.section5.p1
ToolSeo.base64-decode.section5.p2
ToolSeo.base64-decode.section5.p3
ToolSeo.base64-decode.section5.p4
ToolSeo.base64-decode.section5.p5
Frequently asked questions
Does it decode JWT tokens?
It decodes the Base64URL parts, which is exactly what JWT uses for header and payload. Paste the full token and ConverterUp displays the JSON header, JSON payload, and signature segment for inspection.
What is the maximum input size?
Up to 25 MB of encoded text. Decoded output is roughly 75 % of that size since Base64 inflates content by about a third.
Can it detect images automatically?
Yes. If the decoded bytes start with a known image header (PNG, JPG, GIF, WebP) or the input is a data URI, the tool shows a preview and offers a download button alongside the raw text view.
Is the input sent to a server?
No. All decoding happens client-side using the browser's atob and TextDecoder APIs. ConverterUp does not have an endpoint that receives Base64 strings, which matters when the encoded data contains credentials.
Does the decoder verify JWT signatures?
No. JWT signature verification requires the signing key (HMAC secret or RSA/ECDSA public key), which would defeat the privacy of a paste-and-decode tool. ConverterUp decodes the header and payload for inspection but explicitly does not validate signatures. To verify, use the issuer's public key with a JWT library like <code>jose</code> (Node) or <code>PyJWT</code> (Python).
How do I decode Base64 that was encoded multiple times?
Run the decoder repeatedly until the output stops being valid Base64. Double-encoding is a common pattern in legacy systems where two layers tried to 'be safe' independently. ConverterUp's <em>'auto-detect chained encoding'</em> option iterates up to 3 levels deep and shows the result at each step, so you can confirm where the actual payload appears.
ToolSeo.base64-decode.q7
ToolSeo.base64-decode.a7
ToolSeo.base64-decode.q8
ToolSeo.base64-decode.a8