Paste a string and instantly see whether it parses as valid Base64. Choose permissive mode (handles whitespace, URL-safe variants, missing padding) or strict RFC-4648 §4 compliance.
In permissive (default) mode, we accept whitespace, URL-safe variants (-, _), and tolerate missing padding. In strict mode, the input must be exactly [A-Za-z0-9+/] followed by 0–2 = padding characters, with length divisible by 4.
In strict RFC 4648 §4 form, a valid Base64 string contains only A–Z, a–z, 0–9, +, and /, optionally followed by 1 or 2 = padding characters. Its total length must be divisible by 4. In permissive mode, the validator also accepts whitespace, URL-safe variants (- and _), and missing padding.
Common causes: it contains characters outside the alphabet (often a stray space, plus sign, or quote from copy-paste), its length is not a multiple of 4, padding is in the wrong place, or it is actually a different encoding (like hex or URL-encoded text). The validator shows a specific reason for each failure.
It estimates the size of the original data. Base64 expands data by about 33% — every 4 Base64 characters represent 3 bytes. A 100-character Base64 string decodes to about 75 bytes. The exact count helps verify you have the complete encoded data, not a truncated copy.
When you need to verify that a string conforms to RFC 4648 §4 exactly — useful for API request validation, format compliance checks, or debugging interoperability issues between systems that disagree about whether to accept URL-safe variants or missing padding.
+ and / for index values 62 and 63. Both are reserved in URLs — + can read as a space and / separates path segments. URL-safe Base64 (RFC 4648 §5) swaps + for - and / for _ so the string travels safely in query strings and filenames without extra percent-encoding. This validator accepts both variants.base64_decode($data, true), for example, returns false the moment it hits a character outside the Base64 alphabet. If a string picked up line breaks in transit — common with PEM blocks or email — strip whitespace with a regex before decoding, or choose non-strict mode deliberately.==; if it holds two bytes (16 bits) it appends a single =. The padding tells a decoder exactly how many bytes the last block really contained.==. Remainder 2 (two leftover bytes, 16 bits) encodes to three characters plus a single =. Since the maximum padding is two characters, === can never appear in a valid string.A–Z a–z 0–9 + / =. Common causes are stray whitespace or newlines from copy-paste, percent-encoded sequences such as %2B instead of +, or feeding a URL-safe string (containing - or _) to a standard decoder. Strip whitespace and confirm the variant before decoding.const clean = raw.replace(/[^A-Za-z0-9+/=]/g, '');
const decoded = atob(clean);This stops strict decoders from throwing on characters that slipped in during transport or copy-paste.