What kinds of payloads can this scan?

Any text-based payload: JSON API responses, HTML source, XML documents, JavaScript files, CSV exports, or plain text. The tool finds all data:*;base64,... patterns in the text.

What does "detect standalone Base64" do?

This option also looks for long strings of base64 characters that are not wrapped in a data URI. Useful for API tokens, certificates, or embedded binaries — though it may produce false positives on random-looking strings.

Can I download individual artifacts?

Yes. Each detected artifact shows its MIME type and estimated file size, and has a Download button to save it to your device.

Yes. Scanning and extraction both run entirely in your browser. Your payload is never sent to any server.

Can this extract base64 strings that are split across multiple JSON fields?

Yes, as long as each individual field value is a complete, unbroken base64 or data URI string. The extractor scans for complete patterns and cannot reassemble a base64 payload that has been split and stored in separate fields.

What is the input size limit?

The free tier accepts payloads up to 2 MB of text, which covers typical API response bodies. For larger payloads such as database exports, upgrade to Pro.

How many artifacts can be extracted?

The free tier shows up to 50 artifacts per scan to keep the UI performant. If your payload contains more, the first 50 are displayed. Pro removes this limit.

Base64 Payload Extractor

Scan any payload for hidden base64 or data URI artifacts, view their MIME type and size, and download each one with a single click.

Updated June 2026

Files never leave your browser

JSON or text payload

Also detect standalone Base64 strings (may produce false positives)

All scanning and extraction runs in your browser. Nothing is uploaded to any server.

How to use Base64 Payload Extractor

The Base64 Payload Extractor scans any JSON body, HTML source, XML document, or plain text for embedded base64 data URIs and surfaces each one as a named, downloadable artifact. Engineers use it to debug API responses that embed images or files as base64 strings, to audit HTML for inlined resources that should be served from a CDN instead, and to recover assets from exported JSON or database dumps. All scanning is done locally in your browser — large payloads never leave your device.

Paste your JSON payload, HTML source, or any text into the input field.
Optionally enable "Also detect standalone Base64 strings" to catch raw base64 values not wrapped in a data URI.
Click "Scan Payload" to identify all embedded base64 artifacts.
Review each artifact card: it shows the detected MIME type, estimated decoded file size, and a preview for images and text types.
Click the Download button on any artifact card to save the decoded file to your device.

Your data never leaves your device — 100% private processing.

Finding embedded data URIs in JSON and API responses

Modern REST and GraphQL APIs sometimes transmit files as base64-encoded strings inside JSON fields instead of returning a URL. Common patterns include {"avatar":"data:image/png;base64,...","certificate":"data:application/x-pem-file;base64,..."}. Finding and extracting these values manually requires string searching, parsing the MIME type, stripping the prefix, and running atob() — all tedious steps. This extractor automates the whole pipeline: it runs a single regular expression over the text, groups matches by MIME type, builds a Blob for each decoded payload, and presents them all in a list ready for download. It handles arbitrarily deep nesting in JSON, multiple occurrences of the same MIME type, and data URIs spread across minified or pretty-printed text alike.

Typical base64 data URI locations in JSON payloads
Context	Field pattern	Typical MIME type
Profile API	"avatar": "data:image/png;base64,..."	image/png or image/jpeg
Document API	"preview": "data:application/pdf;base64,..."	application/pdf
Email API	"attachment": "data:application/zip;base64,..."	application/zip
Font embedding	"font": "data:font/woff2;base64,..."	font/woff2
Config export	"logo": "data:image/svg+xml;base64,..."	image/svg+xml

Standalone Base64 detection and avoiding false positives

With the "detect standalone Base64" option enabled, the extractor also searches for long strings that match the base64 alphabet but are not wrapped in a data URI prefix. This covers raw base64 values in JSON fields like "thumbnail":"iVBORw0KGgo..." and PEM-formatted certificates whose header lines are absent. Because any sufficiently long alphanumeric string could look like base64, this mode can produce false positives — for example, UUIDs, API tokens, or SHA-256 hashes. The extractor mitigates this by requiring a minimum length of 64 characters, which significantly reduces noise without missing real payloads. Enable this option when you know the payload contains raw base64 fields and disable it to keep the results clean when scanning HTML or XML that contains many short alphanumeric strings.

Worked examples

Extract from a profile API response

Inputs: {"avatar":"data:image/png;base64,iVBOR...","bg":"data:image/webp;base64,UklG..."}

Result: 2 artifacts found — image/png (4.2 KB) · image/webp (2.1 KB)

Extract from an HTML email

Inputs: <img src="data:image/gif;base64,R0lGOD..." alt="logo">

Result: 1 artifact — image/gif (1.8 KB), inline preview shown

Glossary

Data URI: An RFC 2397 scheme that embeds file content as data:<mime>;base64,<payload> inside a string.
Artifact: In this tool, a single extracted file decoded from a data URI or standalone base64 string found in the payload.
False positive: A string detected as base64 that is actually a different kind of opaque token — UUID, hash, or API key — not a file payload.
MIME type: A content-type label (e.g. image/png, application/pdf) that identifies how the decoded bytes should be interpreted.
Blob URL: A temporary browser-local URL (blob:...) created from decoded bytes that the browser can use to offer a file download.

Frequently Asked Questions

Free · No spam

Get weekly tool tips & updates

New tools, power-user tips, and productivity hacks — delivered free every Friday.

No spam, ever. Unsubscribe with one click.

Why use Base64 Payload Extractor?

Instantly locate all data:*;base64,... embedded artifacts in any JSON or text payload
Preview images and text artifacts inline without saving them first
One-click download of each decoded artifact with the correct file extension
Optional standalone base64 detection for raw field values not wrapped in a data URI

Common use cases

Extract all images from a REST API response that encodes thumbnails as base64 data URIs
Audit an HTML email template to find and externalize inlined assets that increase size
Recover a PDF or ZIP attachment from a webhook payload stored as a base64 JSON field
Debug an API integration by inspecting every embedded file payload in a GraphQL response

Related Developer Tools

Data URI to File

Paste any data URI and instantly decode it to a downloadable file. Supports all MIME types — images, PDFs, audio, JSON, and more. Runs entirely in your browser.

Base64 Encoder & Decoder

Encode text or files to Base64, or decode Base64 strings back to text. Fast, free, and runs entirely in your browser.

JSON Formatter & Validator

Format, validate, and minify JSON instantly. Includes syntax highlighting, error detection, and a collapsible tree view — free, private, in-browser.

Regex Tester

Test and debug regular expressions online. See live matches, capture groups, and replace output. Free, private, instant.

URL Encoder / Decoder

Encode and decode URLs and URL components online. Convert special characters to percent-encoding and back instantly — free, private, and fast.

HTML Encoder / Decoder

Encode and decode HTML entities online. Escape <, >, &, and quote characters for safe HTML display. Free, instant, and private — runs in your browser.

Explore all Developer Tools.