devtools

Base32 Encode / Decode

Encode and decode RFC 4648 Base32 in your browser with full UTF-8 support. Case-insensitive decoding that ignores whitespace, ideal for TOTP and 2FA secrets.

Runs entirely in your browser — your data never leaves your device.

How to use Base32 Encode / Decode

What it does & when you need it

Base32 encodes arbitrary bytes using only the uppercase letters AZ and the digits 27 — an alphabet with no lowercase, no punctuation, and no easily confused characters. That makes it the format of choice for things humans type or read aloud: TOTP two-factor secrets in authenticator apps, onion service addresses, DNS-safe identifiers, and case-insensitive file names. This tool encodes text to Base32 and decodes it back, with full UTF-8 support, entirely in your browser so a 2FA seed or private token never touches a server.

How to use

  1. Choose Encode or Decode at the top.
  2. Type or paste into the left buffer, or press Sample to load an example. In Encode mode you can also Upload a text file.
  3. The result appears on the right. Press Copy result or Ctrl/Cmd + Enter to copy it.

Things worth knowing

Base32 is encoding, not encryption. The mapping is public and fully reversible, so it hides nothing. Its job is to let binary or non-ASCII data survive a text-only, case-insensitive channel — not to protect a secret. Anyone can decode it in one step.

Why the = padding appears. Base32 packs five bytes (40 bits) into eight characters. When your input is not a multiple of five bytes, the final group is padded with = so the length stays a multiple of eight. One leftover byte ends in six =, four leftover bytes in a single =.

Decoding is forgiving. Input is uppercased before decoding, so lowercase works too, and any spaces, tabs, or newlines are ignored — handy when a secret is printed in groups of four. Characters outside the AZ 27 alphabet, including the digits 0, 1, 8, and 9, are rejected with an error rather than decoded to garbage.

Base32 is bulkier than Base64. It produces eight characters per five bytes — about 60% overhead versus Base64's 33% — the price it pays for a safer, smaller alphabet. If size matters more than legibility, the Base64 tool is the better fit; to hash rather than transport bytes, see the hash generator.

Examples

Encode UTF-8 text

Hello, 世界! 😀

Multi-byte characters are UTF-8 encoded before Base32, so emoji and CJK round-trip correctly.

Decode a Base32 string

MZXW6YTBOI======

Switch to Decode mode to read this back as the classic test value "foobar".

Whitespace and lowercase are tolerated

mzxw
6ytb oi======

Decoding uppercases the input and strips the newline and space, still yielding "foobar".

Frequently asked questions

How is Base32 different from Base64?

Both turn bytes into printable text, but Base32 uses a smaller 32-character alphabet — A–Z and 2–7 — with no lowercase or punctuation. That makes it case-insensitive and safe to read aloud or type, at the cost of size: it produces about 60% overhead versus Base64’s 33%.

Is Base32 encryption?

No. It is a reversible encoding with a public alphabet, so it hides nothing. Its purpose is to move binary or non-ASCII data through a case-insensitive, text-only channel — never to protect a secret. Anyone can decode it instantly.

Why does the output end in "=" characters?

Base32 packs five bytes into eight characters. When the input length is not a multiple of five, the last group is padded with "=" so the total length stays a multiple of eight. One leftover byte ends in six "=", four leftover bytes in a single "=".

Which alphabet does this use, and is decoding case-sensitive?

It uses the standard RFC 4648 alphabet (A–Z then 2–7), not the base32hex or Crockford variants. Decoding uppercases the input first, so lowercase works, and it ignores spaces, tabs, and newlines — handy when a secret is printed in groups of four.

Why is a 2FA secret shown in Base32?

TOTP authenticator apps store the shared secret as Base32 precisely because the alphabet has no ambiguous characters and survives being typed by hand or read from a screen. Decode one here to see the raw bytes behind the setup key.

Is my input uploaded anywhere?

No. Encoding and decoding run entirely in your browser, so a 2FA seed, token, or any private value never leaves your machine, and the tool keeps working offline once loaded.