Network Tools Updated 2026-05-25

Base64 Encoder / Decoder — when a value has to survive transport

A walkthrough of PortJar's Base64 Encoder / Decoder — when base64 is the right wrapper, when it is a security mistake, and how to read what came back out.

Half the time someone asks “what is this string?”, the answer is base64 — a TLS private key pasted into a chat that the chat client mangled into a single line, a Docker registry auth blob from ~/.docker/config.json, a JWT segment, a BasicAuth header pulled out of a curl command. None of these are encrypted, but they all need to survive transport through systems that would otherwise eat newlines, quote characters, or non-ASCII bytes. PortJar’s Base64 Encoder / Decoder is for the moment you need to look at one of those strings and confirm what is actually inside.

What the tool does

Base64 Encoder / Decoder converts UTF-8 text to and from base64. In encode mode, you paste plain text and get the canonical base64 representation, padded with = if needed. In decode mode, you paste a base64 string and get the original bytes back, decoded as UTF-8. It runs entirely client-side — the text never leaves your browser tab, which matters when the value you are decoding is a credential, a token, or any other secret.

What it does not do is encrypt anything. Base64 is reversible by anyone in less than a second. Treat a base64-encoded value as exactly as sensitive as the plaintext underneath, because it is. A Docker auths entry that looks like opaque junk is your registry username and password in clear, separated by a colon. A BasicAuth header is the same.

How to use it

Open portjar.com/tools/base64, pick Encode or Decode in the Mode dropdown, paste the text, and hit Run. The two example chips — encode / hello world and decode / aGVsbG8gd29ybGQ= — load a canonical round-trip you can sanity-check against in two clicks. Output appears below the form. Because the page is client-side, you can run it offline once it is loaded; that is useful when you are decoding something you would rather not have logged anywhere.

When you’d reach for it

  • Decoding a Docker registry credential pulled from ~/.docker/config.json or a Kubernetes kubernetes.io/dockerconfigjson secret, to confirm which username and password are actually being sent before you go chasing a 401 Unauthorized.
  • Reading the payload of a JWT by base64-decoding the middle segment (between the two dots). The signature segment is not decodable as text, but the header and payload are JSON and tell you exactly which claims are being sent.
  • Verifying a Basic HTTP auth header captured from a curl trace or a load-balancer log. Decoding the part after Basic gives you user:password in clear and confirms the right credential is on the wire.
  • Round-tripping a config value with newlines or quotes — a PEM-encoded TLS key, a multi-line YAML blob — through a system that only accepts a single ASCII line, like a CI secret store or a --build-arg. Encode, paste, decode at the other end.
  • Decoding the data: portion of a small inline image or PDF lifted out of a generated HTML email, to confirm the asset is what the sender thinks it is rather than a placeholder or a broken template.

What to make of the output

If decoded output is recognizable text — JSON, a credential pair, a PEM block, an XML fragment — you decoded the right thing and you now know what was inside. Read it, redact it, and move on.

If decoded output is binary or shows replacement characters (), the input was either not text in the first place (an image, a TLS handshake fragment, a binary protocol buffer) or it was base64 of something that does not decode cleanly as UTF-8. Both are valid bytes, but the textbox is the wrong place to look at them — pipe the same value through base64 -d | file - on a shell to identify what you actually have.

If decoding fails with a length or padding error, the string was truncated, copied incorrectly, or had quoting added by a shell or chat client. Common causes: a stripped trailing =, a single quote that became a smart quote, or whitespace that crept in. Strip whitespace, re-add = until length is a multiple of four, and try again.

A round-trip test is the cheapest sanity check. Encode hello world, copy the result, paste it back, decode — you should get hello world exactly. If you do not, the problem is in the copy path (the terminal, the chat client, the ticket system), not in the value.

Stack Harbor uses encode / decode probes routinely during credential rotations and registry cutovers we run as part of deployment management.

Book consult