> base64 decoder | paste | decode <

Paste the Base64 string into the INPUT area above — the decoder runs automatically as you type (auto-decode is enabled by default). The decoded text appears in the OUTPUT area instantly. You can also click [DECODE] explicitly or use Ctrl/Cmd + Enter. Everything runs locally in your browser; nothing is sent to a server, so pasting JWT tokens, OAuth state, or confidential payloads is safe.

All of them. The decoder auto-detects and accepts:
• Standard Base64 (RFC 4648) — alphabet A-Z a-z 0-9 + / with = padding.
• URL-safe Base64 (RFC 4648 §5) — alphabet with - and _ instead of + and /. Used by JWT, OAuth, Google APIs, AWS S3 presigned URLs.
• Unpadded Base64 — the trailing = signs are omitted. Common in JWT, where a decoder has to auto-add padding.
• Whitespace-tolerant — line breaks, tabs, and spaces inside the Base64 string are stripped before decoding (handles MIME-wrapped 76-column output from email bodies).

The detected format is shown as a badge below the buttons so you know which variant the decoder classified your input as.

Most decode failures have one of these five causes:

1. The input isn't actually Base64. Many people confuse Base64 with hex, Base32, or URL encoding. Base64 only uses A-Z a-z 0-9 + / = (or - _ for URL-safe). If the string contains %20, it's percent-encoded; if it's all 0-9 a-f, it's likely hex.

2. Truncation. Base64 length must be a multiple of 4 after padding. A copy-paste that drops the trailing == causes "invalid length" errors. This decoder auto-pads, but severely truncated strings still fail.

3. Mixed URL-safe and standard. If +/-_ are all present, the string is ambiguous and likely corrupted. Only one variant should be used.

4. Double encoding. Sometimes a string is Base64-encoded twice. Decoding once yields gibberish that is itself Base64. Decode again to get the final text.

5. UTF-8 encoding of the original text. Base64 decodes to bytes. If the original bytes aren't valid UTF-8 (e.g., it's raw binary like an encrypted blob or a PNG), the decoded output will look like mojibake. That's expected — use a Base64-to-file tool instead.

A JWT has three parts separated by dots: header.payload.signature. All three are URL-safe Base64 without padding. To inspect the payload:

1. Copy the middle segment (between the two dots).
2. Paste it into the decoder above. Auto-decode handles the URL-safe alphabet and adds missing padding.
3. You get the JSON payload with claims like iss, sub, exp, iat.

The signature (third segment) is a binary HMAC or RSA output — decoding it as text gives gibberish, which is expected. For a full JWT inspector with signature verification, use our dedicated JWT Decoder.

Security note: decoding a JWT does not verify it. Anyone can read a JWT payload — that's by design. The signature proves the token came from the issuer; it's verified separately with the issuer's public key or shared secret.

Yes — every major platform ships with a Base64 decoder. When this online tool is too slow to paste into, use:

macOS / Linux (bash/zsh):
echo 'SGVsbG8=' | base64 -d — outputs Hello. Use -D on macOS if -d doesn't work. For URL-safe input, pipe through tr '_-' '/+' first.

Windows PowerShell:
[Text.Encoding]::UTF8.GetString([Convert]::FromBase64String('SGVsbG8='))

Python:
import base64
base64.b64decode('SGVsbG8=').decode('utf-8') # Hello
base64.urlsafe_b64decode(s + '===').decode() # URL-safe with auto-pad

Node.js:
Buffer.from('SGVsbG8=', 'base64').toString('utf-8')

Browser DevTools:
atob('SGVsbG8=') — works in any console. For UTF-8 strings wrap with new TextDecoder().decode(Uint8Array.from(atob(s), c => c.charCodeAt(0))).

PHP: base64_decode('SGVsbG8=')
Ruby: Base64.decode64('SGVsbG8=')
Go: base64.StdEncoding.DecodeString("SGVsbG8=")

Yes — this decoder is safer than server-side tools because nothing leaves your browser. The decoding happens entirely in JavaScript on your device via the native atob() and TextDecoder APIs. There is no network call, no upload, no logging, no analytics on the input content. You can verify this yourself by opening the browser DevTools Network tab while decoding — you'll see zero requests.

That said, Base64 is not encryption — it's just encoding. Anyone with the Base64 string can decode it. So while this tool is safe, you should still:
• Never share screenshots of decoded JWTs that haven't expired.
• Rotate credentials that leak anywhere (logs, screenshots, shared chat).
• Treat decoded OAuth state, CSRF tokens, and session IDs as secrets until invalidated.

For corporate/regulated environments where even the Base64 string is sensitive, you can save this page offline (Cmd/Ctrl + S) — it works fully air-gapped after one load, since the decoding logic is pure JavaScript.

A Data URI follows the syntax data:[<mediatype>][;base64],<data>. To decode just the payload:

1. Find the comma. Everything before it is metadata (data:image/png;base64), everything after is the Base64-encoded file.
2. Copy only the part after the comma into this decoder.
3. For binary content (PNG, JPG, PDF), the decoded output will be raw bytes — text rendering shows mojibake. That's expected.
4. To view a Data URI image, paste the entire data:... URI into your browser's address bar — the browser decodes and renders it directly.
5. To save the image file, use our dedicated Base64 to Image tool, which handles the full Data URI and downloads a PNG/JPG/WebP.

Data URIs are commonly found in: CSS background-image rules, inline SVG icons, email signature images, PDF attachments encoded into JSON API responses, and Electron/VS Code extension icon bundles.

Encoding takes arbitrary binary or text data and produces an ASCII string using only printable characters — safe for transport over text-only channels (email, URLs, JSON). Decoding reverses that: an ASCII Base64 string becomes the original bytes.

Key properties:
• Round-trip lossless: decode(encode(x)) === x for all byte inputs. No data is ever lost.
• Not encryption: Base64 offers zero secrecy. Anyone can decode it.
• Size overhead: encoded output is ~33% larger than input (4 output bytes per 3 input bytes).
• Use cases: JWT tokens, MIME email attachments, HTTP Basic Auth headers, OAuth codes, S3 presigned URLs, inline images in HTML/CSS.

This page is dedicated to decoding. If you need to go the other way (text/file → Base64), use our Base64 Encoder on the home page, or our Image to Base64 converter for image files.

Yes, within browser memory limits. The decoder accepts unlimited input length — we've tested with 50 MB Base64 strings (~37 MB decoded) on modern laptops. Performance:

• < 100 KB: instant, no UI delay.
• 1 – 10 MB: decoding takes ~50-500 ms depending on CPU.
• 10 – 100 MB: browser may freeze briefly (2-10 s) since atob is synchronous. Disable auto-decode first and click [DECODE] manually.
• > 100 MB: you'll hit browser memory limits. For gigabyte-scale Base64 files, use a command-line tool (base64 -d).

If the decoded content is a binary file (PNG, PDF, ZIP), the text output area will show mojibake. To download the decoded bytes as a file, use our Base64 to Image tool (handles images) or the command-line approach: echo '<base64>' | base64 -d > output.bin.

Yes. After the page loads once, all decoding happens client-side in JavaScript — no network is needed. To make it fully offline:

1. Save the page: press Ctrl+S (Windows/Linux) or Cmd+S (macOS) and save as "Webpage, Complete". The decoder works from the saved HTML.
2. Install as PWA (if supported): some browsers offer "Install this app" for base64.sh — gives you a launcher with offline access.
3. Use in DevTools: the native atob() function works in any browser console without this page. For a quick decode: atob('SGVsbG8=').

Offline operation is useful for: air-gapped security research, pentesting labs, corporate environments with strict data-egress rules, and flights/trains without internet.