Magic Decoder

Encoding is not encryption

Base64, hex, URL percent-encoding, ROT13, and the rest are reversible transforms that anyone can undo without a key. They exist to move binary or awkward characters safely through text channels, not to keep a secret. Seeing Base64 in a sample tells you the author wanted to hide intent from a casual reader, not that the data is protected. Treat a successful decode as "made readable," never as "decrypted."

Why attackers stack layers

Malware and phishing kits often wrap a payload several times: Base64 around a gzip blob around more Base64, for example. Each layer defeats simple string searches and signature rules. Peeling them one at a time is the everyday first step of triage. When a result here still looks like Base64 or hex, that is the hint to decode it again, which the per-result button does for you.

Reading the standards

Base64, Base64URL, Base32, and hex are all defined in RFC 4648. URL percent-encoding is RFC 3986. ROT13 and ROT47 are simple Caesar-style letter rotations with no formal RFC. HTML character references are part of the HTML specification. gzip is RFC 1952 and raw DEFLATE is RFC 1951, both decoded here through the browser's native DecompressionStream where it is available.

False positives are normal

Many inputs will "decode" under several codecs because the math succeeds even when the result is meaningless. A random hex string is also a valid Base64 string, and Base64 of binary data often produces unreadable bytes. That is why each result carries a readability score and why the best-guess pick favors output that is mostly printable text. A high score is a strong signal, not a proof; always sanity-check the decoded value against the context it came from.

Safety

Decoded values are shown as plain text only and are never executed, rendered as HTML, or sent anywhere. A decoded string can still contain a malicious URL or command, so copy it into a safe, isolated environment before doing anything with it.