Disclosure: Some tools link to SaaS products we may earn a commission from — at no cost to you. All tools are free and run entirely in your browser. See full disclosure →

Base64 Decoder

Decode Base64 and Base64url strings instantly. Paste a JWT to extract its payload. Handles padding, whitespace, and both standard and URL-safe variants automatically.

RFC 4648 Base64url (JWT) JWT Payload Decoder Client-Side Only
Client-side only — your data never leaves your browser
Base64 Input
supports base64url too
Decoded Output
Decoded text will appear here…
Need to encode text instead? Use the Base64 Encoder →

Base64 Decoding: Reading JWTs, API Responses, and Encoded Data

Base64 decoding is something every developer encounters regularly — inspecting a JWT token, reading an API response that contains encoded data, debugging an OAuth flow, or examining a SAML assertion. The encoded strings look like noise until you decode them. This guide covers the practical scenarios where you'll need Base64 decoding and how to handle the quirks that trip people up.

Decoding JWT Tokens

A JSON Web Token has the format header.payload.signature. All three parts are Base64url-encoded. The header and payload are JSON objects; the signature is the raw cryptographic signature bytes.

To read a JWT's contents, decode the second part (payload). Paste the full JWT into this decoder and click "Decode JWT payload" — the tool will split on the dots, extract the payload, Base64url-decode it, and pretty-print the JSON.

Common JWT payload claims you'll find:

  • sub — Subject (usually the user ID)
  • iat — Issued At (Unix timestamp)
  • exp — Expiration (Unix timestamp — convert to a date to check if expired)
  • iss — Issuer (your auth server URL or name)
  • aud — Audience (which service the token is for)
  • Custom claims — roles, permissions, tenant IDs, whatever your auth system adds

Important reminder: decoding the payload does not verify the signature. You're reading the claims the token asserts, but you cannot confirm those claims are authentic without verifying the HMAC-SHA256 or RSA signature against the issuer's key. Use your backend library for signature verification.

Decoding API Tokens and Credentials

Many API tokens and secrets are Base64-encoded for safe transport. AWS access keys embedded in config files, database connection strings, and service account JSON files from Google Cloud all contain Base64-encoded values in various fields.

A common debugging scenario: you receive an Authorization: Basic ... header and want to see the credentials inside. Strip "Basic " from the front, paste the remainder here, and you'll see username:password. This is why Basic Auth over HTTP is insecure — anyone who intercepts the header can decode it in seconds.

Reading SAML Assertions

SAML (Security Assertion Markup Language), used in enterprise SSO, sends authentication assertions as compressed, Base64-encoded XML. The SAMLResponse parameter in SSO redirects is Base64-encoded (and often zlib-compressed). Decoding gives you the XML assertion containing user attributes, session data, and signature information.

When debugging SAML integrations — verifying attributes, checking NameID format, inspecting audience restrictions — you'll spend a lot of time decoding these assertions. This tool handles the Base64 step; for SAML-specific parsing with deflate decompression, use a dedicated SAML debugger.

Debugging Encoded Query Parameters

Some web applications encode entire JSON objects as Base64 in query parameters. For example: ?state=eyJ1c2VyIjoiYWxpY2UifQ==. This is common in OAuth flows (the state parameter) and redirect parameters. Decode the value to see what's inside — often it's a JSON object with a return URL, CSRF token, or session identifier.

Note: query parameter Base64 values are often Base64url-encoded (no + or /) and may have padding stripped. This tool handles all variants automatically — just paste and decode.

Certificate and Key Inspection

PEM files (TLS certificates, RSA keys, SSH keys) are Base64-encoded DER data wrapped in header/footer lines like -----BEGIN CERTIFICATE-----. To inspect the raw bytes, strip the header/footer lines and decode the Base64 block. The result is DER-formatted binary — you'd need an ASN.1 parser to make sense of it, but the decode step is pure Base64.

Need to encode text instead? Use the Base64 Encoder.

Affiliate CTA

Building apps with JWT auth or API integrations?

Deploy serverless functions on Cloudflare Workers — runs at the edge, handles token verification, free for most use cases.

Deploy to Cloudflare Pages Free →

Frequently Asked Questions

How do I decode a JWT token?

Paste the full JWT (the three dot-separated parts) into the decoder and click 'Decode JWT payload'. The tool will extract the middle part (the payload), apply Base64url decoding, and display the JSON. You'll see standard JWT claims: sub (subject/user ID), iat (issued at, Unix timestamp), exp (expiration, Unix timestamp), iss (issuer), and any custom claims added by your application. Remember: the payload is not encrypted — anyone with the token can read it. The signature only proves authenticity.

Why does Base64 decoding fail on my input?

Common reasons: (1) The input is Base64url (uses - and _ instead of + and /) — this tool normalises both, so try pasting the raw token. (2) The padding is missing — Base64 requires the string length to be a multiple of 4, padded with =. Some implementations strip padding. This tool automatically adds padding. (3) The string contains whitespace or line breaks — this tool strips them. (4) The input isn't actually Base64 — it might be hex, percent-encoded, or another encoding entirely.

What is the difference between Base64url and standard Base64?

Standard Base64 (RFC 4648 §4) uses characters A-Z, a-z, 0-9, +, and /. Base64url (RFC 4648 §5) replaces + with - and / with _ to make the encoding safe in URL paths and query strings without percent-encoding. JWTs, OAuth tokens, and many modern APIs use Base64url. When decoding, you must normalise the characters before calling atob() or your library's Base64 decoder, since most standard implementations expect the + and / variants.

How do I decode a data URI?

A data URI looks like: data:image/png;base64,iVBORw0KGgo... Strip everything up to and including the comma (data:image/png;base64,), then paste only the Base64 portion into the decoder. The decoded output will be the raw binary of the image — it may display as garbled text since it's binary data, not text. To actually use the decoded image, you'd save it as a PNG. This tool is optimized for text-based Base64 (JSON, JWT, credentials). For binary data URIs, use a dedicated image tool.

Is decoded Base64 always readable text?

No. Base64 can encode any binary data — images, PDFs, compiled executables, encrypted blobs. When you decode such data, you'll get raw bytes that look like garbled characters. This tool attempts UTF-8 decoding first (which works for JSON, JWT payloads, text credentials), then falls back to Latin-1 for binary data. If the decoded output looks garbled, the original data was binary, not text. The tool will display a note when this happens.

Encoders & Hash Tools
Base64 Encoder URL Encoder URL Decoder MD5 Hash SHA-256 Hash
💡
Need AI tools for your development workflow?

Explore our reviews of the best AI coding assistants, documentation generators, and developer productivity tools — ranked by real-world usefulness.

Browse AI Tools for Developers →
The DevTools Team
Infinfy Engineering
We build free developer utilities that we actually use ourselves. No accounts, no tracking, no backend — just fast, accurate, in-browser tools. Part of Infinfy Solutions.