Validation

Base64 Validator.

Paste a string and instantly see whether it parses as valid Base64. Choose permissive mode (handles whitespace, URL-safe variants, missing padding) or strict RFC-4648 §4 compliance.

Base64 Validator
?
Waiting for input
Paste a Base64 string above
What we check

In permissive (default) mode, we accept whitespace, URL-safe variants (-, _), and tolerate missing padding. In strict mode, the input must be exactly [A-Za-z0-9+/] followed by 0–2 = padding characters, with length divisible by 4.

Frequently asked

About this tool.

In strict RFC 4648 §4 form, a valid Base64 string contains only A–Z, a–z, 0–9, +, and /, optionally followed by 1 or 2 = padding characters. Its total length must be divisible by 4. In permissive mode, the validator also accepts whitespace, URL-safe variants (- and _), and missing padding.

Common causes: it contains characters outside the alphabet (often a stray space, plus sign, or quote from copy-paste), its length is not a multiple of 4, padding is in the wrong place, or it is actually a different encoding (like hex or URL-encoded text). The validator shows a specific reason for each failure.

It estimates the size of the original data. Base64 expands data by about 33% — every 4 Base64 characters represent 3 bytes. A 100-character Base64 string decodes to about 75 bytes. The exact count helps verify you have the complete encoded data, not a truncated copy.

When you need to verify that a string conforms to RFC 4648 §4 exactly — useful for API request validation, format compliance checks, or debugging interoperability issues between systems that disagree about whether to accept URL-safe variants or missing padding.

Standard Base64 uses + and / for index values 62 and 63. Both are reserved in URLs — + can read as a space and / separates path segments. URL-safe Base64 (RFC 4648 §5) swaps + for - and / for _ so the string travels safely in query strings and filenames without extra percent-encoding. This validator accepts both variants.
Browsers quietly skip spaces, tabs and newlines while decoding, but strict server-side decoders do not. PHP's base64_decode($data, true), for example, returns false the moment it hits a character outside the Base64 alphabet. If a string picked up line breaks in transit — common with PEM blocks or email — strip whitespace with a regex before decoding, or choose non-strict mode deliberately.
Padding, not data. Base64 works on 24-bit blocks that become four characters, so output length must be a multiple of 4. If the final block holds only one byte (8 bits) the encoder appends ==; if it holds two bytes (16 bits) it appends a single =. The padding tells a decoder exactly how many bytes the last block really contained.
Padding depends on the input length modulo 3, which can only be 0, 1 or 2. Remainder 0 needs no padding. Remainder 1 (one leftover byte, 8 bits) encodes to two characters plus ==. Remainder 2 (two leftover bytes, 16 bits) encodes to three characters plus a single =. Since the maximum padding is two characters, === can never appear in a valid string.
The decoder hit a character outside the alphabet A–Z a–z 0–9 + / =. Common causes are stray whitespace or newlines from copy-paste, percent-encoded sequences such as %2B instead of +, or feeding a URL-safe string (containing - or _) to a standard decoder. Strip whitespace and confirm the variant before decoding.
Remove every character that is not part of the Base64 alphabet — whitespace, carriage returns, newlines, tabs — with a regular expression first:
const clean = raw.replace(/[^A-Za-z0-9+/=]/g, '');
const decoded = atob(clean);
This stops strict decoders from throwing on characters that slipped in during transport or copy-paste.
Partly. Base64 encodes data in independent four-character (24-bit) blocks, so damage to one block does not corrupt the others. If a string was cut off, pad the remaining valid characters up to a multiple of four and you can recover the leading blocks — but any bytes past the truncation point are lost.
Related tools

More from the toolkit.