Introduction
When you inspect a JWT, a TLS certificate fingerprint, or a cryptographic hash, you will encounter the same binary data expressed in two completely different notations: Base64 and hexadecimal. A SHA-256 hash is 32 bytes. In hex that is 64 characters. In Base64 it is 43 characters plus a padding "=". They represent identical bytes — just formatted differently. Converting between them manually is error-prone and tedious. Paste either form below for an instant, bidirectional conversion in the browser.
What this tool does
- Converts Base64-encoded strings to their hexadecimal representation, byte-for-byte.
- Converts hexadecimal strings to Base64, correctly handling odd-length hex input by left-padding.
- Validates Base64 input and rejects strings containing characters outside the Base64 alphabet.
- Validates hex input and rejects strings containing non-hexadecimal characters.
- Runs entirely in the browser — no data is sent to any server.
How this tool works
Base64 to hex: the tool Base64-decodes the input string using the browser's native `atob()` function, which produces a byte string. It then iterates over each byte, formats its value as a two-character lowercase hex string (padding with a leading zero for values below 0x10), and concatenates the results.
Hex to Base64: the tool removes whitespace and validates that all characters are in `[0-9a-fA-F]`. If the hex string has an odd length, it left-pads with a zero to ensure even-length byte pairs. It then parses each two-character pair as a byte value, assembles a byte string, and passes it to `btoa()` to get the Base64 result.
Both directions are reversible and lossless — no information is added or removed, only the surface representation changes. The output fields update as you type, so you can watch the conversion happen character by character.
How the cipher or encoding works
Base64 is defined in RFC 4648 §4. It encodes every 3 bytes (24 bits) of input as 4 printable ASCII characters drawn from a 64-character alphabet (A–Z, a–z, 0–9, +, /). When the input length is not a multiple of 3, one or two padding `=` characters are appended. Base64 encoding is approximately 33% larger than the raw binary: 3 bytes in → 4 bytes out (ratio 4/3 ≈ 1.333).
Hexadecimal notation represents each byte as exactly two characters drawn from `[0-9a-f]`. The encoding ratio is exactly 2:1 — 1 byte → 2 hex chars. Hex is the native output format of every standard cryptographic hash function and is what tools like `openssl dgst`, `sha256sum`, and database `HEX()` functions produce.
The conversion between them is a change of base, not a cryptographic operation. Both formats encode the same sequence of bytes: `SGVsbG8=` in Base64 and `48656c6c6f` in hex both represent the ASCII string "Hello" (bytes 0x48, 0x65, 0x6c, 0x6c, 0x6f).
This conversion comes up constantly in applied cryptography. JWT tokens use Base64url (RFC 4648 §5, which replaces + with - and / with _ and omits padding) for the header and payload but their cryptographic signatures are often compared against hex fingerprints in certificate stores. HMAC values computed by database functions (MySQL `SHA2()`) return hex; JWT libraries expect Base64url. Bridging those two representations without an error is a common source of authentication bugs.
How to use this tool
- Paste your Base64 string into the 'Base64 Input' field. The hex equivalent appears immediately in the output.
- To go the other direction, paste a hex string into the 'Hex Input' field. The Base64 result appears below.
- If you see an error, check for non-Base64 characters (spaces or line breaks are stripped automatically) or invalid hex characters.
- Copy the converted value using the copy button next to each output field.
- For Base64url input (JWT tokens), manually replace '-' with '+' and '_' with '/' before pasting — or add trailing '=' padding if needed.
Real-world examples
Comparing a JWT signature to a hex fingerprint
A developer verifies that a JWT's RS256 signature matches a known hex fingerprint stored in their database. The JWT signature is Base64url-encoded. They convert it here to hex: input `SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c` (after replacing `-` with `+`, `_` with `/`, and adding `=` padding) yields the 32-byte SHA-256 hex string they can compare directly against their database record.
Decoding a TLS certificate fingerprint
A network engineer checks a TLS certificate in a browser's certificate viewer, which shows the SHA-256 fingerprint as colon-delimited hex bytes: `4a:3b:...`. They need to compare it to the fingerprint stored in a secrets manager as a Base64 string. They strip the colons to get a raw hex string, paste it into the hex field, and get the Base64 equivalent in one step — no Python one-liner required.
Debugging a database HMAC comparison
A backend developer computes HMAC-SHA256 in MySQL using `HEX(SHA2(CONCAT(secret, message), 256))`, which returns a 64-character lowercase hex string. Their Node.js client computes the HMAC using `crypto.createHmac('sha256', secret).update(message).digest('base64')`, returning a Base64 string. To verify the values match, they paste the MySQL hex output into this tool and confirm it converts to the same Base64 string their Node.js client produces.
Comparison with similar methods
| Method | Complexity | Typical use |
|---|---|---|
| Hexadecimal | 2 chars per byte (100% overhead) | Hash output (sha256sum), byte inspection, colour codes |
| Base64 | ~1.33 chars per byte (33% overhead) | JWT, email attachments, binary data in JSON/XML |
| Base64url (RFC 4648 §5) | ~1.33 chars per byte, URL-safe alphabet | JWT tokens, URL parameters, cookie values |
| Raw binary | 1 byte per byte (0% overhead) | File storage, socket transmission, cryptographic operations |
Limitations or considerations
This tool handles standard Base64 (RFC 4648 §4) only. Base64url (used in JWTs and URL parameters) replaces `+` with `-` and `/` with `_` and omits padding `=` characters — manually substitute those before pasting. Very large inputs (multi-megabyte Base64 strings) may be slow due to the character-by-character JavaScript loop; for large data, use a native command-line tool (`xxd`, `openssl enc`, or `base64`). This is an encoding conversion, not decryption — if your Base64 or hex data is encrypted, decoding to the other format will not reveal plaintext.
Frequently asked questions
Conclusion
Base64 and hexadecimal are two views of the same bytes. Needing to convert between them is a daily occurrence in cryptography, API debugging, and certificate inspection. This tool handles both directions instantly in the browser. For a full Base64 encoder and decoder that handles arbitrary text input, see the Base64 Encoder/Decoder tool.