ByteCompress

Base64 Decoder

Decode Base64-encoded strings back to their original plain text or binary representation. Supports both standard RFC 4648 and URL-safe Base64 alphabets, including JWT tokens.

0 chars
FreeClient-sideNo signup

Base64 strings are opaque by design β€” SGVsbG8sIFdvcmxkIQ== is meaningless until decoded back to Hello, World!. Defined in RFC 4648, Base64 encodes every 3 input bytes as 4 output characters, adding roughly 33% overhead. This decoder reverses that using the browser's native atob() and TextDecoder APIs. It supports both standard Base64 and the URL-safe variant (- and _ instead of + and /) used in JWTs and OAuth tokens. Nothing is uploaded to any server.

How to Decode Base64

  1. Paste your Base64-encoded string into the input field.
  2. Choose Standard or URL-safe mode to match how the data was originally encoded.
  3. The decoded plain text appears immediately in the output panel.
  4. Click Copy to copy the result.

How Base64 Decoding Works

The Decoding Process

Decoding reverses encoding exactly. Each Base64 character is mapped back to its 6-bit value using the alphabet table. Four consecutive characters (24 bits) reconstruct three bytes. The browser's atob() function handles standard Base64 natively. For URL-safe Base64, - and _ are converted back to + and / before decoding. The resulting UTF-8 byte sequence is then decoded to a Unicode string using TextDecoder.

Handling Missing Padding

Standard Base64 requires = padding to make string length a multiple of 4. JWTs and OAuth tokens strip padding to reduce size. This decoder automatically calculates and adds the required padding based on string length. If string length mod 4 is 2, one = is needed; if it is 3, two = characters are needed.

Example

Input (Standard Base64)

SGVsbG8sIFdvcmxkIQ==

Output

Hello, World!

Common Use Cases

  • JWT token inspection β€” Decode the header and payload sections to read claims without a library
  • HTTP Basic Auth β€” Decode Authorization: Basic dXNlcjpwYXNz headers to verify embedded credentials
  • Data URI inspection β€” Decode the Base64 portion of data:image/png;base64,... URIs
  • API response debugging β€” Some APIs Base64-encode binary content in JSON responses

Best Practices

  • Select the correct mode (Standard vs URL-safe) β€” using the wrong mode produces garbled output
  • For JWT tokens, decode only the header (first part) and payload (second part); the third part is a cryptographic signature, not encoded text
  • If output is unreadable characters, the source data was binary (image, PDF, etc.), not text
  • Base64 decoding is not a security check β€” anyone can decode it

To encode text back to Base64, use the Base64 Encoder. For URL-encoded data, use the URL Decoder. To fully inspect a JWT, decode the first two dot-separated parts separately with URL-safe mode selected.

Frequently Asked Questions

How do I decode a JWT token with this tool?

A JWT consists of three parts separated by dots: header.payload.signature. Copy the header (first part) or payload (second part), select URL-safe mode, and paste it into the decoder. The output is the JSON object with the algorithm (header) or the claims (payload). Do not decode the signature β€” it is a cryptographic hash, not a Base64-encoded JSON string.

Why is my decoded output showing strange characters?

This means one of three things: (1) the original data was binary (image, PDF, zip) rather than text; (2) you selected the wrong mode β€” try switching between Standard and URL-safe; (3) the original text was encoded using a charset other than UTF-8. Try switching modes first. If output is still unreadable, the source data was likely binary.

Do I need the padding characters (==) for decoding to work?

Standard Base64 requires padding to make string length a multiple of 4. This decoder automatically adds missing padding, which is important for JWT and OAuth tokens that strip trailing = characters. Paste the string as-is and the decoder handles padding automatically.

Is my sensitive data safe when decoding here?

Yes. Decoding runs entirely in your browser using native atob() and TextDecoder APIs. Tokens, credentials, and private data you paste are never sent to any server, never logged, and never stored. Open the browser's Network tab while decoding and you will see zero outbound requests.

What is the difference between Standard and URL-safe Base64?

Standard Base64 (RFC 4648 Β§4) uses + and /. URL-safe Base64 (RFC 4648 Β§5) replaces those with - and to avoid conflicts in URLs, filenames, and HTTP headers. JWTs, OAuth tokens, and PKCE code verifiers all use URL-safe Base64. If your string contains - or , select URL-safe mode.