Base64 String Decoder
Decode Base64 strings to inspect encoded content, debug API responses, and extract original data. Fast string-focused decoding for developers analyzing tokens, payloads, and encoded parameters.
Why Use Base64 String Decoder
APIs and authentication systems encode data as Base64 strings—seeing actual content requires decoding. OAuth tokens, API response fields, URL parameters, and cookie values often contain Base64-encoded data that needs inspection during development or debugging. This string-focused decoder handles the most common developer use case: quickly decode a Base64 string from logs, API responses, or browser dev tools to see what it contains. Essential for debugging authentication flows (inspecting token claims), analyzing API responses (decoding embedded data fields), or troubleshooting encoded query parameters.
- String-optimized: Fast decoding for text-based Base64 data
- Multiple outputs: View as text, JSON, or hex
- Format detection: Auto-identifies JSON, XML, plain text
- Syntax validation: Checks Base64 validity before decoding
- Copy and share: One-click copy of decoded output
Step-by-Step Tutorial
- Copy Base64 string from API response, token, or parameter
- Example:
eyJuYW1lIjoiQWxpY2UiLCJyb2xlIjoiYWRtaW4ifQ== - Paste into decoder
- Click "Decode String"
- Output (auto-detected as JSON):
{"name":"Alice","role":"admin"} - Copy decoded content for analysis or code integration
Real-World Use Case
A backend developer debugs SSO integration where users intermittently fail to authenticate. SAML responses arrive Base64-encoded in POST parameters—production logs show raw Base64 strings with no decoded content. When auth fails, they need to see actual SAML assertion XML to identify malformed attributes. They capture a failed Base64 parameter, paste into string decoder, get decoded XML showing
Best Practices
- For OAuth/JWT tokens, decode payload section (middle part between dots)
- Check format auto-detection—may identify JSON, XML, or plain text
- Use hex view for debugging binary string corruption issues
- Validate Base64 syntax first to avoid decode errors from corruption
- For URL parameters, check if URL-safe Base64 (- and _ vs + and /)
Performance & Limits
- String length: Decodes strings up to 10 MB
- Processing speed: 1 MB string decoded in ~80ms
- Format detection: Auto-identifies JSON, XML, HTML, plain text
- Output modes: Formatted text, raw bytes, hex dump
- Error handling: Clear messages for invalid Base64 syntax
Common Mistakes to Avoid
- Forgetting to strip prefixes: Remove "Basic " or "Bearer " before decoding
- Wrong variant handling: JWT uses URL-safe Base64—may need conversion
- Decoding signature portions: JWT signature is binary—only decode header/payload
- Not checking padding: URL-safe Base64 often strips padding (==)
Privacy and Data Handling
Base64 string decoding happens entirely in your browser using JavaScript—data never leaves your device. For decoding production tokens or customer data, use private browsing mode. The decoder operates completely offline after page load.
Frequently Asked Questions
What types of Base64 strings can this decoder handle?
Decoder handles all Base64 variants: standard (+ and /), URL-safe (- and _), with or without padding (=). Common formats decoded: JWT tokens (header.payload.signature), Basic Auth credentials (username:password), SAML assertions (XML), API response fields (JSON/text), OAuth tokens, cookie values, URL query parameters. Auto-detects output format: JSON is syntax-highlighted and formatted, XML is indented, plain text displayed as-is. For binary data (images/files), use file-focused decoder instead—string decoder optimized for text content. Handles strings encoding to 10 MB text, larger than typical API payloads and tokens.
How do I decode strings from HTTP Authorization headers?
Authorization headers format: Basic base64-string or Bearer jwt-token. To decode: (1) Remove scheme prefix ("Basic " or "Bearer "), (2) Decode remaining string. For Basic Auth: decoded format is username:password. For Bearer JWT: split by dots, decode header and payload separately (signature is binary). Example: Authorization: Basic QWxpY2U6c2VjcmV0 → remove "Basic " → decode QWxpY2U6c2VjcmV0 → get Alice:secret. Many decoders have "Strip prefix" option handling common schemes automatically. Security note: Basic Auth sends credentials in easily-reversible encoding—always use HTTPS to protect against interception.
Can I decode Base64 strings from URL parameters?
Yes, but URL parameters often use URL-safe Base64 variant (- and _ instead of + and /). Standard Base64 decoders may need conversion: replace - with +, _ with /, add padding (=) if length not multiple of 4. Many modern decoders auto-detect and convert URL-safe variant. For manual extraction from URLs: https://api.com?token=eyJh... → take everything after = → decode. Common in: OAuth state parameters, SAML requests, encrypted URL redirects, tracking parameters. If decode fails on URL parameter, likely URL-safe variant or missing padding—try adding = or == at end.
Why does decoded string output look like JSON but isn't valid?
Possible causes: (1) Partial decode—full data split across multiple parameters/chunks, (2) Double-encoding—data was Base64-encoded twice (decode again), (3) Truncation—string was cut off during copy-paste (missing padding), (4) Mixed encoding—part Base64, part plain text. Solutions: Check for multiple related parameters holding continuation data. Try decoding output again (double-encoding common in nested systems). Verify entire string copied (check original length). Look for delimiters suggesting mixed content. For troubleshooting, compare decoded length to expected—mismatches indicate incomplete decode or wrong approach.