Base64 & JWT Decoder
Encode or decode Base64 strings, or inspect any JWT token — all in your browser, nothing sent to any server.
Base64 & JWT Decoder
Encode, decode Base64 or decode a JWT token instantly.
What is Base64 encoding?
Base64 is a binary-to-text encoding scheme that represents binary data using a set of 64 printable ASCII characters (A–Z, a–z, 0–9, +, /). It was designed to safely transmit binary data through systems that only handle text — email protocols (MIME), HTTP headers, data URLs, and API responses.
Base64 is an encoding, not encryption. It adds no security — anyone can decode a Base64 string instantly. It is purely a format transformation. A common beginner mistake is treating Base64-encoded data as "protected" when it is trivially reversible.
How Base64 encoding works
Base64 converts every 3 bytes of binary data into 4 ASCII characters. The process:
- Take 3 bytes (24 bits) of input data
- Split into four 6-bit groups
- Map each 6-bit value (0–63) to a character from the Base64 alphabet
- If the input length is not divisible by 3, pad with
=characters
The result is always approximately 33% larger than the original input. A 3MB image encoded in Base64 becomes roughly 4MB as a string.
Common uses of Base64
- Embedding images directly in HTML/CSS as
data:image/png;base64,...URLs - Encoding binary attachments in emails (MIME encoding)
- Transmitting binary data in JSON APIs that only support text
- HTTP Basic Authentication:
Authorization: Basic base64(user:password) - The middle part of JWT tokens (header and payload are Base64URL-encoded)
What is a JWT (JSON Web Token)?
A JSON Web Token is a compact, self-contained way to represent claims between two parties. It is widely used for authentication and authorization in web APIs — instead of storing session state on the server, the server issues a signed JWT that the client stores and sends with each request.
Specifies the token type (JWT) and the signing algorithm (HS256, RS256, etc.). Base64URL encoded.
Contains the claims — user ID, roles, expiry time, and any custom data. Base64URL encoded. Readable by anyone — never put secrets here.
HMAC or RSA signature over header + payload. Verifies the token hasn't been tampered with. Only parties with the secret/private key can create valid signatures.
A JWT looks like: eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWxpY2UifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
JWT security vulnerabilities to know
- Algorithm confusion (alg:none) — early JWT libraries accepted tokens with
"alg":"none", meaning no signature required. Always verify the algorithm header matches what your server expects. - RS256 → HS256 confusion — if a server uses RS256 (asymmetric), an attacker can forge tokens by switching the algorithm to HS256 and signing with the public key (which is, by definition, public).
- Weak secrets — HS256 tokens signed with a short or guessable secret can be brute-forced. Use secrets of at least 256 bits.
- Missing expiry validation — always check the
expclaim server-side. A token that never expires is a permanent credential if leaked. - Sensitive data in payload — the payload is Base64-encoded, not encrypted. Never store passwords, PII, or secrets in JWT claims unless using JWE (JSON Web Encryption).