Loading
Encode and decode Base64, URL, Hex, HTML entities, and Unicode escape sequences. Free, client-side, no data sent to any server.
Base64 encodes binary data into ASCII text using a 64-character alphabet (A–Z, a–z, 0–9, +, /). It’s used in HTTP Authorization headers, email attachments (MIME), JSON Web Tokens, data URIs, and anywhere binary data needs to pass through text-only channels. The encoding increases size by roughly 33% — every 3 input bytes become 4 output characters.
Base64 is an encoding, not encryption — it provides no security. It’s commonly seen in attack payloads where shell scripts are encoded to avoid special character issues in shell commands. Security teams analyzing captured attack sessions frequently need to decode Base64 blobs to understand what an attacker attempted to execute.
URL encoding (RFC 3986) replaces unsafe characters with %XX hex pairs. Spaces become %20, angle brackets become %3C and %3E, ampersands become %26. This is essential for query strings, form submissions, and any data passed through URLs.
When reviewing web server logs or firewall rules, URL-encoded strings are everywhere. Double-encoding (%2520 for a space) is a common technique to bypass input filters and web application firewalls. If you’re running Nginx, you can integrate our blacklist directly to block known malicious sources before they reach your application layer.
Hex encoding represents each byte as two hexadecimal characters. 48656c6c6f decodes to Hello. Common in protocol analysis, packet captures, and binary data inspection.
HTML entities encode special characters for safe display in HTML. Named entities like < and numeric entities like < both represent <. Decoding these is essential when analyzing phishing emails or cross-site scripting payloads embedded in HTML source.
Unicode escapes use the \uXXXX format common in JavaScript and JSON. Obfuscated scripts sometimes encode entire payloads as Unicode escape sequences to evade signature-based detection. Our detection catalog documents many patterns that use this technique.
This tool runs entirely in your browser using built-in JavaScript APIs. No data is transmitted to any server. Your input never leaves your machine — feel free to paste API keys, tokens, or sensitive payloads without concern.
For programmatic encoding and decoding, most languages provide built-in functions: atob() / btoa() in JavaScript, base64 module in Python, Base64.decode64() in Ruby, and base64 -d on the command line.
Need to analyze suspicious IPs alongside encoded payloads? Use our IP threat lookup to check any address against our global honeypot network, or explore top attacking IPs for a broader view of the threat landscape. Protect your infrastructure with SikkerGuard or set up range alerts for your networks.