Base64 Decoder
Paste any Base64 string — standard or URL-safe — and get the decoded text instantly. Missing padding is restored automatically.
Free · No credit card · 50 credits/day
How decoding works
Three normalisation steps happen automatically before decoding.
URL-safe normalisation
If the string uses - and _ (URL-safe variant), they are converted back to + and / so the standard decoder can process them.
Padding restoration
Base64 requires the string length to be a multiple of 4. If trailing = characters were stripped, they are added back automatically.
Strict decode + UTF-8 check
The string is decoded in strict mode — any invalid character returns an error. The output is then checked for valid UTF-8; binary results are flagged.
What you can decode
Base64 strings appear in many different places across software and protocols.
JWT payloads
JSON Web Tokens are three URL-safe Base64 segments separated by dots. Decode the middle segment (payload) to read the claims — user ID, roles, expiry — without a secret key.
Email content
MIME-encoded emails encode body text and attachments as Base64. If you're debugging raw email headers or SMTP logs, paste the encoded block here to read it.
Kubernetes secrets
All values in a Kubernetes Secret manifest are Base64-encoded. Decode them to inspect certificates, API keys or connection strings stored in your cluster.
Data URIs
HTML data URIs embed assets inline as Base64 — strip the data:...;base64, prefix and paste the rest here to extract the raw content.
API tokens and OAuth
Many API credentials and OAuth client secrets are Base64-encoded. Decode to see the underlying value — useful when debugging authentication issues.
Security research
Malware and phishing payloads often use Base64 to obfuscate scripts or shellcode. Decode suspicious strings safely to inspect what they contain before executing.
Decoding a JWT payload
A JWT looks like three Base64 blocks joined by dots. The middle block is the payload.
eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiIsImV4cCI6MTc1MDAwMDAwMH0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
{"user_id":123,"role":"admin","exp":1750000000}
Note: the JWT signature (third segment) is not Base64-decodable to readable text — it is a cryptographic hash. Only the header and payload are human-readable.
Don't execute decoded content blindly
Base64 is commonly used to obfuscate malicious payloads — eval() calls, shellcode, phishing scripts. Always inspect decoded output before pasting it into a terminal, browser console or script engine. Decoding is safe; executing unknown decoded content is not.
Frequently asked questions
Decode your Base64 string now
Free account. 50 credits per day. Access to 75+ tools instantly.
Create free account →