Free, browser-based utilities for everyday developer workflows

Fix Base64 encoding and decoding errors

Base64 breaks in predictable ways — missing padding, the URL-safe alphabet, or double-encoded UTF-8. Decode it correctly and see what the bytes actually are.

Open this example in Base64 Encode / Decode

Open the tool, then paste the sample input below. Everything runs locally in your browser.

Open this example in Base64 Encode / Decode →

The problem

A token or payload arrives Base64-encoded and decoding gives garbage or an error. The usual causes are stripped = padding, the URL-safe alphabet (- and _ instead of + and /), or text that was UTF-8 encoded twice. You need to decode with the right alphabet and inspect the real bytes.

Sample input

Encoded (URL-safe, no padding)
eyJhbGciOiJIUzI1NiJ9

Expected output

Decoded text
{"alg":"HS256"}

This is the URL-safe Base64 of a JWT header. Standard Base64 decoders may reject it until you restore padding and convert - _ back to + /.

How to do it

  1. Paste the Base64 string.
  2. Pick the alphabet: standard or URL-safe.
  3. Decode to text or bytes.
  4. Restore missing = padding if the length is not a multiple of four.
  5. Re-encode if you need a corrected value.

Common mistakes

  • Treating URL-safe Base64 (- and _) as standard Base64 (+ and /).
  • Dropping the = padding so the length is no longer a multiple of four.
  • Decoding bytes as text when the payload is binary.
  • Double-encoding: encoding an already-encoded string.
  • Copying surrounding quotes or whitespace into the input.

Related tools

Related guides

FAQ

What does "invalid Base64 padding" mean?

Standard Base64 length must be a multiple of four, padded with = characters. If the padding was stripped, add back one or two = signs so the length is a multiple of four.

What is URL-safe Base64?

URL-safe Base64 replaces + with - and / with _ so the value is safe in URLs and file names. Decode it with the URL-safe alphabet, or convert the characters back before using a standard decoder.

Why does my decoded text look like garbage?

The bytes were probably decoded with the wrong character set, or the data is binary rather than text. Decode to bytes and inspect, or confirm the original encoding was UTF-8.

Can I decode the header of a JWT with this?

Yes. A JWT is dot-separated URL-safe Base64. Decode the first segment to see the header; the JWT Decoder does this end to end.

Is my data uploaded?

No. Encoding and decoding run locally in your browser. Nothing is sent to a server.

Base64 encoding and decoding run locally in your browser. Nothing is uploaded.

Explore more security and debugging tools

Decode tokens, inspect certificates, redact secrets and sanitize captures — grouped in one place.

View the security & debugging toolkit →