What Base64 encoding is
Base64 is an encoding scheme that converts binary data into a string of ASCII characters. It takes any input — bytes, images, files, raw text — and produces an output that contains only letters (A-Z, a-z), digits (0-9), plus (+), slash (/), and equals (=) for padding.
The “64” in Base64 refers to the 64 characters used in the encoding. Every 3 bytes of input become 4 Base64 characters, so the output is approximately 33% larger than the input.
Encode and decode Base64 instantly with Base64 Encode / Decode.
Why Base64 exists: the transmission problem
Many systems were designed to handle text, not arbitrary binary data. Email protocols, XML documents, HTML attributes, JSON values, and URL parameters all have restrictions on which bytes they can safely carry. Binary data contains bytes that have special meaning in these contexts — null bytes, line breaks, control characters — which can corrupt or truncate the data during transmission.
Base64 solves this by converting binary to a predictable, safe set of printable characters that any text-based system can handle without modification.
Common uses of Base64 encoding
Embedding images in HTML and CSS — instead of linking to an external image file, you can embed the image data directly: <img src="data:image/png;base64,iVBOR...">. Useful for small icons in environments where external requests are restricted, or for single-file HTML documents.
Email attachments — the MIME standard uses Base64 to encode file attachments for transmission over email protocols that only handle 7-bit ASCII.
JSON Web Tokens (JWTs) — the header and payload sections of a JWT are Base64url-encoded (a URL-safe variant that uses - and _ instead of + and /). This allows the token to be safely transmitted in URLs and HTTP headers.
API authentication — HTTP Basic Authentication encodes the username:password string as Base64 and sends it in the Authorization header. Note that Base64 is not encryption — the credentials can be decoded by anyone who intercepts the header.
Storing binary data in text formats — embedding public keys, certificates, and cryptographic signatures in configuration files and JSON responses uses Base64 to keep the data in a text-safe format.
Base64 is not encryption
This is the most important thing to understand about Base64: encoding is not encryption. A Base64-encoded string can be decoded by anyone instantly with no key or password. It provides no confidentiality.
Base64 is a reversible transformation for format compatibility, not a security measure. The following strings are equally exposed:
password123cGFzc3dvcmQxMjM=(the same string, Base64-encoded)
Anyone who sees the second string can decode it immediately. If you need to protect data, use actual encryption (AES, RSA) rather than Base64.
HTTP Basic Authentication (mentioned above) relies on HTTPS to provide security — the Base64 encoding is only there for format compatibility, not protection.
Base64 vs. URL encoding
Both Base64 and URL encoding convert data into a safe format for specific contexts, but they’re designed for different problems.
Use Base64 when encoding binary data (files, images, byte arrays) or when you need to embed arbitrary data in a text format like JSON or XML.
Use URL encoding when encoding a string value to be placed in a URL query parameter or path segment. URL encoding preserves readability — hello world becomes hello%20world — while Base64 produces an unreadable string.
Use URL Encode / Decode for URL contexts and Base64 for binary-to-text conversions.
Decoding JWTs with Base64
JWT tokens are structured as three Base64url-encoded segments separated by dots: header.payload.signature. Decoding the middle segment (the payload) reveals the claims object — user ID, expiration time, roles, and any custom fields.
This is useful for debugging authentication issues: if a request is being rejected, decoding the JWT payload shows whether the token has expired, whether the user has the required role, and whether the issuer claim matches what the server expects.
Use JWT Decoder for a structured view of JWT contents, or Base64 Encode / Decode to manually decode any Base64-encoded segment.
Recognizing Base64 in the wild
Base64-encoded strings have a recognizable appearance: they consist only of alphanumeric characters plus +, /, and trailing = padding, and their length is always a multiple of 4. A string that ends in == has had two bytes of padding added, meaning the original data’s byte count wasn’t a multiple of 3.
If you encounter an unfamiliar string in an API response, log file, or configuration value that looks like dXNlVG9vbA==, it’s almost certainly Base64-encoded. Decoding it often reveals a human-readable value or structured data that makes the system’s behavior immediately clearer.