Decode Base64 to JSON or XML

Est. read: 7 minEncoding & Tokens

Base64 payload decoded into JSON and XML

Summary

Definition: Base64 decoding recovers original bytes, which may represent JSON, XML, or binary data.

Why it matters: Decoding enables inspection of API payloads, tokens, and embedded data.

Pitfall: Decoded output may be malformed, unsafe, or non-text.

Guide start

This guide explains how to safely decode Base64 to JSON or XML.
Many APIs and tokens embed structured data inside Base64.
Decoding reveals bytes, not trust or validity.

Key terms

Base64: Encoding that maps bytes to ASCII characters.
Base64URL: URL-safe Base64 variant using - and _.
Payload: Data being encoded or decoded.
Validation: Strict syntax checking for a data format.
UTF-8: Standard text encoding required for JSON.

If you need...

Need	Use
Decode Base64	Base64 Decode
Decode Base64URL	Base64URL Decode
Validate JSON	JSON Lint
Validate XML	XML Formatter
Re-encode data	Base64 Encode

Safe default

Decode to bytes, validate encoding and format, then parse only if required.

Decode, then identify the format

After decoding, treat the result as raw bytes.
Only attempt text decoding if UTF-8 decoding succeeds.
Then identify whether the content is JSON, XML, or non-text data.

JSON vs XML

JSON

UTF-8 text with objects and arrays.

XML

Markup text with tags and attributes.

Both

Require strict validation after decoding.

Common mix-up: Base64 provides no secrecy; decoding restores the original bytes.

Disable XML external entities and DTDs before parsing decoded XML.

Decoded Base64 may represent binary, compressed, or encrypted data.

Safe decode workflow

Decode and validate

Decode Base64 or Base64URL to bytes.
Attempt UTF-8 decoding and fail on errors.
Use heuristics to identify JSON or XML.
Validate with a strict parser.
Parse only if required.

Common decode outcomes

Invalid Base64 causes decode errors.
Valid Base64 may decode to non-UTF-8 bytes.
UTF-8 text may still be invalid JSON or XML.
Payloads may contain compressed or encrypted data.

Quick examples

Example

Decoded Base64 revealing valid JSON.

JSON payload

{"user":"ada","roles":["admin"]}

Example

Decoded Base64 revealing valid XML.

XML payload

<user role="admin">ada</user>

Tools to use

Decode standard payloads with Base64 Decode.
Decode URL-safe data with Base64URL Decode.
Validate JSON using JSON Lint.
Validate XML using XML Formatter.

JWTs commonly use Base64URL without padding.
Always decode and validate before trusting claims.

When not to decode

When the data is explicitly encrypted.
When payload size is unbounded or untrusted.
When decoding could trigger decompression bombs.

Standards and references

RFC 4648: Base64 and Base64URL encoding.
RFC 8259: The JSON data interchange format.
W3C XML 1.0: Extensible Markup Language specification.
RFC 3629: UTF-8 text encoding.

Practical check

Decode Base64 to bytes.
Confirm UTF-8 before parsing.
Validate JSON or XML strictly.
Re-encode only after safe changes.

FAQ

Is Base64 secure? No. Base64 is fully reversible and provides no confidentiality.

How do I identify JSON or XML? Use heuristics, then confirm by validating with the correct parser.

Does decoded Base64 always contain text? No. It may be binary, compressed, encrypted, or signed data.

Should Base64URL be handled differently? Yes. Base64URL uses different characters and may omit padding.

Guide end - You can now decode Base64 payloads and safely validate JSON or XML.Back to top