Base64 Encoder Decoder: Complete Guide for Developers
Base64 encoding comes up constantly in web development: API authentication headers, JWT tokens, image data URIs, email attachments. Understanding it properly saves hours of debugging.
What Is Base64 Encoding?
Base64 converts binary data into a text-safe format using only 64 printable ASCII characters:
A-Z (26) + a-z (26) + 0-9 (10) + + and / (2) = 64 characters
= is used as padding
It's an encoding, not encryption. Anyone can decode it. Don't use Base64 to "hide" data.
Before encoding: Hello, World!
After encoding: SGVsbG8sIFdvcmxkIQ==
Base64 Encoder Decoder Online
DevPlaybook Base64 Tool — encode and decode Base64 instantly in your browser. No server, no account, no data stored.
Just paste your text or Base64 string and click Encode or Decode.
How to Encode/Decode Base64
JavaScript (Browser)
// Encode
btoa('Hello, World!') // "SGVsbG8sIFdvcmxkIQ=="
// Decode
atob('SGVsbG8sIFdvcmxkIQ==') // "Hello, World!"
Important: btoa() and atob() only handle Latin-1 characters. For Unicode:
// Encode Unicode (safe method)
function encodeBase64(str) {
return btoa(encodeURIComponent(str).replace(/%([0-9A-F]{2})/g,
(_, p1) => String.fromCharCode(parseInt(p1, 16))
));
}
// Or use Buffer (modern browsers + Node.js)
btoa(String.fromCodePoint(...new TextEncoder().encode('Hello 🌍')));
JavaScript (Node.js)
// Encode
Buffer.from('Hello, World!').toString('base64');
// "SGVsbG8sIFdvcmxkIQ=="
// Decode
Buffer.from('SGVsbG8sIFdvcmxkIQ==', 'base64').toString('utf8');
// "Hello, World!"
// Encode a file
const fs = require('fs');
const encoded = fs.readFileSync('image.png').toString('base64');
// URL-safe variant (replaces + with - and / with _)
Buffer.from('Hello, World!').toString('base64url');
// "SGVsbG8sIFdvcmxkIQ" (no padding)
Python
import base64
# Encode
encoded = base64.b64encode(b'Hello, World!').decode('utf-8')
# "SGVsbG8sIFdvcmxkIQ=="
# Decode
decoded = base64.b64decode('SGVsbG8sIFdvcmxkIQ==').decode('utf-8')
# "Hello, World!"
# URL-safe variant
url_safe = base64.urlsafe_b64encode(b'Hello, World!').decode('utf-8')
# Encode a file
with open('image.png', 'rb') as f:
encoded = base64.b64encode(f.read()).decode('utf-8')
Bash / Terminal
# Encode
echo -n 'Hello, World!' | base64
# SGVsbG8sIFdvcmxkIQ==
# Decode
echo 'SGVsbG8sIFdvcmxkIQ==' | base64 --decode
# Hello, World!
# Encode a file
base64 image.png > image.b64
# Decode a file
base64 --decode image.b64 > image-restored.png
Common Use Cases
1. HTTP Basic Authentication
HTTP Basic Auth encodes username:password in Base64:
Authorization: Basic <base64(username:password)>
Example:
# Credentials: alice:s3cr3t
echo -n 'alice:s3cr3t' | base64
# YWxpY2U6czNjcjN0
curl -H 'Authorization: Basic YWxpY2U6czNjcjN0' https://api.example.com
Remember: This is just encoding, not encryption. Always use HTTPS.
2. JWT Tokens
JSON Web Tokens have three Base64URL-encoded sections separated by .:
header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIn0
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decode the payload (second part):
const payload = JSON.parse(atob('eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIn0'));
// { sub: "1234567890", name: "Alice" }
Note: JWT uses Base64URL (no padding, + → -, / → _).
3. Image Data URIs
Embed images directly in HTML/CSS without external requests:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUg..." />
.logo {
background-image: url('data:image/svg+xml;base64,PHN2ZyB4bWxucz...');
}
Best for: small icons, inline SVGs in email templates.
Not ideal for: large images (increases HTML size by ~33%, can't be cached separately).
4. API Request Bodies
Some APIs require Base64-encoded file uploads:
// Encode file for API upload
const file = document.querySelector('#file-input').files[0];
const reader = new FileReader();
reader.onload = (e) => {
const base64 = e.target.result.split(',')[1]; // Remove data: prefix
fetch('/api/upload', {
method: 'POST',
body: JSON.stringify({ file: base64, filename: file.name }),
});
};
reader.readAsDataURL(file);
5. Environment Variables with Special Characters
Encoding secrets that contain special characters:
# Store a JSON config in an env var
export CONFIG=$(echo '{"api_key": "abc/123+xyz"}' | base64)
# Read it back
echo $CONFIG | base64 --decode | python3 -m json.tool
Base64 Variants
Standard Base64
Uses + and / as the 63rd and 64th characters. May need URL-encoding in URLs.
Base64URL
Replaces + with - and / with _. No padding (=). Safe for URLs and filenames.
Used by: JWT, many modern APIs, OAuth2.
// Node.js Base64URL
Buffer.from(data).toString('base64url');
// Convert standard to URL-safe
const urlSafe = standard.replace(/\+/g, '-').replace(/\//g, '_').replace(/=/g, '');
Base64 with MIME Line Wrapping
Email standards require lines to be max 76 characters:
import base64
encoded = base64.encodebytes(data) # Includes line breaks
Troubleshooting
Incorrect Padding Error
Base64 strings must have length divisible by 4. Pad with = if needed:
function fixPadding(base64) {
return base64 + '='.repeat((4 - base64.length % 4) % 4);
}
Unicode/Emoji Encoding Issues
btoa() throws if the string contains characters outside Latin-1:
// This throws: "The string to be encoded contains characters outside of the Latin1 range"
btoa('Hello 🌍');
// Fix: encode as UTF-8 first
btoa(new TextEncoder().encode('Hello 🌍').reduce((s, b) => s + String.fromCharCode(b), ''));
Binary Data Corrupted After Decode
If you encode binary data (images, zips), decode back to a Buffer, not a string:
// Wrong — corrupts binary data
const decoded = atob(base64String); // treats as text
// Right — decode to Uint8Array
const bytes = Uint8Array.from(atob(base64String), c => c.charCodeAt(0));
Performance Considerations
Base64 encoding increases data size by approximately 33% (every 3 bytes becomes 4 characters).
Original: 1000 bytes
Encoded: ~1333 bytes
For large files, use binary transfer protocols instead:
- HTTP multipart/form-data for file uploads
- WebSockets with binary frames
- Server-Sent Events with chunked encoding
Security Notes
- Base64 is not encryption — decoded in milliseconds by anyone
- Don't store sensitive data Base64-encoded and call it secure — it isn't
- JWT payload is Base64URL-encoded — visible to anyone with the token. Don't put sensitive data in JWT payloads unless the token is also encrypted (JWE)
- Validate decoded data — malformed input can cause crashes; always handle decode errors
Quick Reference
| Task | JavaScript | Python | Bash |
|---|---|---|---|
| Encode string | btoa(str) |
base64.b64encode(s.encode()).decode() |
`echo -n str \ |
| Decode string | {% raw %}atob(str)
|
base64.b64decode(s).decode() |
`echo str \ |
| Encode file | {% raw %}Buffer.from(file).toString('base64')
|
base64.b64encode(open(f,'rb').read()) |
base64 file |
| URL-safe | Buffer.from(s).toString('base64url') |
base64.urlsafe_b64encode(s) |
(replace +//) |
Use DevPlaybook Base64 Tool for quick browser-based encoding and decoding without writing code.
Level Up Your Dev Workflow
Found this useful? Explore DevPlaybook — cheat sheets, tool comparisons, and hands-on guides for modern developers.
🛒 Get the DevToolkit Starter Kit on Gumroad — 40+ browser-based dev tools, source code + deployment guide included.
Top comments (0)