All tools
Developer tools

Base64 Decoder

Paste any Base64 string — standard or URL-safe — and get the decoded text instantly. Missing padding is restored automatically.

Standard Base64 URL-safe Base64 (- _) Auto padding restore Binary detection
Get started free Sign in

Free · No credit card · 50 credits/day

How decoding works

Three normalisation steps happen automatically before decoding.

1

URL-safe normalisation

If the string uses - and _ (URL-safe variant), they are converted back to + and / so the standard decoder can process them.

2

Padding restoration

Base64 requires the string length to be a multiple of 4. If trailing = characters were stripped, they are added back automatically.

3

Strict decode + UTF-8 check

The string is decoded in strict mode — any invalid character returns an error. The output is then checked for valid UTF-8; binary results are flagged.

What you can decode

Base64 strings appear in many different places across software and protocols.

🔑

JWT payloads

JSON Web Tokens are three URL-safe Base64 segments separated by dots. Decode the middle segment (payload) to read the claims — user ID, roles, expiry — without a secret key.

📧

Email content

MIME-encoded emails encode body text and attachments as Base64. If you're debugging raw email headers or SMTP logs, paste the encoded block here to read it.

☁️

Kubernetes secrets

All values in a Kubernetes Secret manifest are Base64-encoded. Decode them to inspect certificates, API keys or connection strings stored in your cluster.

🌐

Data URIs

HTML data URIs embed assets inline as Base64 — strip the data:...;base64, prefix and paste the rest here to extract the raw content.

🔐

API tokens and OAuth

Many API credentials and OAuth client secrets are Base64-encoded. Decode to see the underlying value — useful when debugging authentication issues.

🛡️

Security research

Malware and phishing payloads often use Base64 to obfuscate scripts or shellcode. Decode suspicious strings safely to inspect what they contain before executing.

Decoding a JWT payload

A JWT looks like three Base64 blocks joined by dots. The middle block is the payload.

FULL JWT
eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyX2lkIjoxMjMsInJvbGUiOiJhZG1pbiIsImV4cCI6MTc1MDAwMDAwMH0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Paste the middle segment into the decoder
DECODED PAYLOAD
{"user_id":123,"role":"admin","exp":1750000000}

Note: the JWT signature (third segment) is not Base64-decodable to readable text — it is a cryptographic hash. Only the header and payload are human-readable.

Don't execute decoded content blindly

Base64 is commonly used to obfuscate malicious payloads — eval() calls, shellcode, phishing scripts. Always inspect decoded output before pasting it into a terminal, browser console or script engine. Decoding is safe; executing unknown decoded content is not.

Frequently asked questions

How do I decode a Base64 string?

Paste the Base64 string into the tool and click Decode. It accepts both standard Base64 (using + and /) and URL-safe Base64 (using - and _). Missing padding characters (=) are added automatically.

Why does my Base64 string have no = at the end?

URL-safe Base64 (used in JWTs, OAuth tokens and many APIs) strips the trailing = padding because it is not needed for decoding and causes issues in URLs. Our decoder adds the padding back automatically before decoding.

The decoder says "binary data" — what does that mean?

If the decoded bytes are not valid UTF-8 text — for example if you decoded an encoded image, PDF or compressed file — the tool detects this and displays a notice instead of garbled characters. The decoded byte length is still shown.

Is Base64 decoding safe? Could malicious content be hidden in Base64?

Decoding itself is safe. However, Base64 is sometimes used to obfuscate malicious payloads in emails, scripts or config files. Always inspect decoded content before executing or trusting it.

Related developer tools

More encoding and data tools.

Base64 Encoder

Encode any text to standard or URL-safe Base64, with output length shown.

URL Encoder

Percent-encode any string so it is safe to use inside a URL.

Hash Generator

Generate MD5, SHA-256 and SHA-512 hashes from any text.

Decode your Base64 string now

Free account. 50 credits per day. Access to 75+ tools instantly.

Create free account →