Base64 Decoder
Paste a base64 string, get the original text. Toggles between standard and URL-safe variants — handles both JWT segments and Basic Auth blobs without fuss.
Why decode Base64?
- Reading the actual contents of an Authorization: Basic header (base64 of `user:pass`).
- Inspecting the encoded body of a webhook payload that arrived as a base64 string.
- Decoding a config-file value that was wrapped in base64 to survive a CI environment variable.
- Reading a base64-encoded GitHub API response body (the contents API returns files this way).
- Recovering a signing key or certificate that was inlined into a YAML or Terraform config.
- Spot-checking a base64 'data:' URL by decoding the suffix into the original text or SVG.
How it works
Your base64 input is fed through the browser's atob() to produce raw bytes, which are then decoded as UTF-8 to give you back the original text. Toggle URL-safe and we swap - back to +, _ back to /, and re-pad with = before decoding — exactly what JWT halves and other URL-embedded base64 strings require. All processing is local to this page.
Frequently asked questions
What does 'invalid base64' usually mean?
Most often: extra whitespace inside the string, the wrong variant (URL-safe input run as standard or vice versa), or characters from the wrong alphabet. Try toggling URL-safe and removing line breaks. The error message points at the first bad character.
Can I decode a JWT here?
Yes — drop the middle segment of a JWT into the URL-safe decoder and you'll see the JSON payload. For full header + payload + expiry breakdown, use the JWT decoder tool — it handles all three segments at once.
Will this decode binary data correctly?
Decoding produces raw bytes, then we run them through UTF-8 decoding to show text. Pure-binary content (an image, a font, an encrypted blob) won't display as readable text — for those, use a tool that lets you save the decoded bytes as a file.
Is my input logged or uploaded?
No. Decoding is a pure-JavaScript function on this page. Tokens and credentials you paste here stay on your device.
What if the encoder used Latin-1 instead of UTF-8?
Most tools default to UTF-8 today. If the source was Latin-1 (some old PHP code, legacy mainframes), you'll see mangled accents — every byte 0x80-0xFF will look like UTF-8 garbage. There's no way to detect this from the base64 alone, but a re-encode through a Latin-1 path on the producer side fixes it.
About this tool
Base64 decoding is the inverse of the encode step: every four ASCII characters of input collapse back into three bytes, recovering the original payload. The tricky bit isn't the math — it's distinguishing the variant. Standard base64 (RFC 4648 §4) and URL-safe base64 (RFC 4648 §5) use different last-two characters (+/ vs -_) and have different padding rules (= mandatory vs optional). The two are otherwise identical. Most modern signed-token formats (JWT, JWS, OAuth, JOSE) prefer URL-safe; HTTP Basic Auth, MIME, and PEM certificate envelopes use standard. Pick the wrong variant and decoding fails on any character outside the agreed alphabet — usually with a vague 'invalid input' message.