BYTETOOLS

How to Use an XOR Cipher to Encode and Decode Text

To use an XOR cipher, enter a key, type your text, and the tool combines every byte of your text with the repeating key to produce an encoded hex or Base64 string; feeding that string and the same key back in decodes it to the original. Because XOR is its own inverse, one key both scrambles and restores your message, and it all runs locally in your browser.

This guide covers exactly how to encode, how to decode, and why the output looks the way it does — useful whether you are learning bitwise ciphers or hiding a flag in a CTF challenge.

What an XOR cipher actually does

XOR (exclusive-or) compares two bits and returns 1 only when they differ. The cipher applies this bit by bit between your text's bytes and the bytes of a key that repeats across the whole message. Apply the key once and the text scrambles; apply the same key to the scrambled result and you get the original back. That symmetry is the whole trick — encoding and decoding are the same operation with the same key.

Step-by-step: encoding text

  1. Choose Encode to go from text to an encoded string.
  2. Enter your key. This is the secret that scrambles the data; you will need the exact same key to decode.
  3. Type or paste your text into the input.
  4. Pick an output format — hexadecimal or Base64 — for the encoded result.
  5. Read and copy the result shown below.

Step-by-step: decoding a string

  1. Switch to Decode.
  2. Enter the exact same key used during encoding — a wrong key yields unreadable output.
  3. Paste the hex or Base64 string.
  4. Read the recovered text. The tool converts the string back to bytes, XORs with your key, and shows the UTF-8 result.

Why the output is hex or Base64

XORing text almost always produces bytes that are not printable characters. If shown raw, they would appear as garbage or break when pasted into another app. Encoding the result as hexadecimal or Base64 wraps those raw bytes in safe, copyable characters that survive being emailed, pasted, or stored anywhere. Here is how the two formats compare:

FormatCharacter setBest for
Hexadecimal0-9, a-fDebugging, seeing byte values clearly
Base64A-Z, a-z, 0-9, +, /Compact strings, embedding in text

An important caveat and the privacy angle

This is obfuscation, not encryption. A repeating-key XOR is easy to break if the key is short or reused, so never trust it with genuinely sensitive data — for that, use a proper AES tool. What it is excellent at is learning, puzzles, and lightweight scrambling. On privacy, all the XOR maths runs on UTF-8 bytes locally in your browser, so nothing you type is uploaded or stored, and the tool works offline once loaded.

Try the XOR Cipher Encoder & Decoder — free and 100% in your browser.

FAQ

Do I use the same key to encode and decode?

Yes. XOR is symmetric, so the identical key both scrambles and restores the message. Keep the key safe and share it separately from the encoded string, or nobody can decode.

Should I choose hex or Base64 when encoding?

Pick hex when you want to inspect the raw byte values or paste into something that expects hex; pick Base64 when you want a shorter, denser string to embed in text. Both decode back to the same original with the right key.

What happens if I enter the wrong key when decoding?

You get unreadable output. XOR does not error on a wrong key — it simply produces different bytes — so garbled text is the signal that the key does not match.

Can I XOR non-English text and emoji?

Yes. The tool works on full UTF-8 byte sequences, so accented characters, non-Latin scripts and emoji all encode and decode correctly as long as the key matches.

Related free tools

Built by ByteVancer

ByteTools is a free product of ByteVancer, a software and web development studio building web apps, SaaS and custom software. If you need real security engineering or custom developer tooling, explore what ByteVancer can build for you.