Base64 Decode & Encode
Paste Base64 to decode it, or type text to encode. Everything runs in your browser.
- Paste your Base64 string into the input box, or type plain text to encode.
- The tool auto-detects standard and URL-safe Base64 and decodes it instantly.
- Switch between Decode and Encode with the toggle above the box.
- Copy the result with one click - nothing is ever uploaded.
Base64 is one of the most common encodings you will meet in security work. It takes raw bytes and
represents them using just 64 printable characters - the uppercase and lowercase letters, the digits
0 to 9, and the two symbols + and /. Because the output is plain text, Base64
lets binary data travel safely through channels that were only ever designed for text: email bodies,
JSON payloads, HTTP headers, cookies, and URLs. This decoder and encoder runs entirely in your browser,
so you can inspect tokens and payloads without sending anything to a server.
Base64 is encoding, not encryption
The single most important thing to understand is that Base64 provides no security whatsoever. There is no key and no secret - the transformation is completely reversible by anyone. When you find a long Base64 blob inside a cookie, an API token, a configuration file, or a hidden form field, decoding it is often the fastest way to reveal what an application is really storing. Developers frequently reach for Base64 to "hide" a value, and that habit hands attackers useful information for free. Treat any Base64 string as fully readable.
How to recognise Base64
A Base64 string is a continuous run of letters, digits, + and /. Its length is
usually a multiple of four, and it may end in one or two = characters used as padding. A
popular variant called URL-safe Base64 swaps + for - and / for
_ so the value can sit inside a URL or filename without extra escaping - JSON Web Tokens use
exactly this variant. This tool detects both forms automatically, so you can paste either and get the
decoded result.
Where Base64 shows up in hacking
In web testing you will see Base64 in session cookies, CSRF tokens, "remember me" values, and the header and payload of JWTs. In CTF challenges, a chain of encodings - Base64, then hex, then a cipher - is a classic puzzle, and being able to peel back each layer quickly is a real advantage. In forensics and malware analysis, encoded blobs often hide a second-stage script or a command-and-control address that becomes obvious the moment you decode it. Encoding text back into Base64 is just as useful when you are crafting input to test how an application handles it.
A quick example
The text hacker encodes to aGFja2Vy. Decode SGFja2VyRE5B and you
get HackerDNA. Notice how a short, innocent-looking string can hide a readable message -
that is the whole point, and the reason decoding is a reflex skill for anyone doing security work. Once
you are comfortable spotting and reversing Base64, the next step is to use it against a real target in a
controlled lab, where recognising an encoded token is often the first move in a full attack chain.
Questions fréquentes
What is Base64?
Is Base64 secure or encrypted?
Does my data get uploaded?
How do I recognise Base64?
What is URL-safe Base64?
Passez à la pratique
Entraînez-vous sur de vraies cibles
Transformez ces outils en compétences avec des labs pratiques et des cours guidés sur HackerDNA.
Créer un compte gratuit