What this does
- Base64 — turns binary or text into ASCII for safe transport (RFC 4648).
- Base64 URL — Base64 with
+/swapped for-_and padding stripped, safe to put in URLs and JWTs. - URL — percent-encodes characters that aren't safe in URL components (
encodeURIComponent). - HTML — escapes
& < > " 'so user input can't inject markup. - Hex — encodes each byte as two hex digits.
Guides
- Decode a JWT in your browser — paste a token, see header and payload instantly. Manual decode walkthrough, claims reference, and the security note every JWT guide has to repeat.
- Base64 vs Base64 URL: when to use which — the two-character alphabet difference, why JWTs and OAuth use the URL-safe variant, and how to convert between them.
- encodeURI vs encodeURIComponent — the bug-for-bug difference between JavaScript's URL encoders, when each is correct, and the classic + / space gotcha.
FAQ
Is my data sent to a server?
No. All encoding and decoding happens in your browser.
Does this support Unicode / emoji?
Yes. Text is converted to UTF-8 bytes before encoding, so any Unicode character (including emoji) round-trips correctly.
What's the difference between encodeURI and encodeURIComponent?
We use encodeURIComponent, which escapes characters like /, ?, #, and & — the right choice when the value is going inside a query parameter or path segment. encodeURI leaves those alone, which is only useful for encoding a whole URL.
Why does my Base64 string fail to decode?
Common causes: it's actually Base64 URL (try that tab), the input has been HTML-escaped (e.g. + turned into a space), or padding (=) is missing.