Base64 is an encoding scheme that converts binary data into a string of printable ASCII characters. You may have encountered it as a long string of letters, numbers, and symbols in an email attachment, an HTML image embed, or an API authentication header. Understanding what Base64 does — and critically, what it does not do — helps you use it correctly and avoid confusing it with encryption.
What Base64 Encoding Does
Binary data (images, files, binary file contents) consists of bytes with values from 0 to 255. Many text-based systems — email protocols, JSON fields, HTML attributes, HTTP headers — were designed to handle only printable ASCII characters (values 32–126). Binary data passed through these systems gets corrupted because non-printable byte values are either dropped or misinterpreted.
Base64 solves this by converting every 3 bytes of binary data into 4 characters drawn from a safe 64-character alphabet (A–Z, a–z, 0–9, +, /). The resulting string is about 33% larger than the original data but is safe to transmit through any text-based system. The receiver decodes it back to the original binary data.
Base64 is Not Encryption
This is the most important thing to understand about Base64. It is an encoding scheme, not a security measure. Anyone who receives Base64-encoded data can decode it instantly — the encoding provides no secrecy, no authentication, and no protection. A Base64-encoded password is just as readable as a plaintext password to anyone who knows it is Base64 (the distinctive padding characters == at the end are a giveaway). Do not use Base64 to "hide" sensitive data.
Where Base64 Is Used
- Email attachments: The MIME standard uses Base64 to encode file attachments so they can be transmitted over email protocols that only handle text.
- Data URIs in HTML/CSS: Images and fonts can be embedded directly in HTML or CSS as Base64 strings, eliminating the need for separate HTTP requests. Common for small icons or inline SVGs.
- API authentication: HTTP Basic Authentication encodes credentials as
Base64(username:password)in the Authorization header. This is purely for transport format compatibility — the credentials are not protected by the encoding. - JSON data fields: Binary data (images, PDFs, cryptographic signatures) embedded in JSON payloads must be Base64-encoded because JSON is a text format.
- JWT tokens: JSON Web Tokens use Base64url (a variant that replaces + with - and / with _ for URL safety) to encode their header and payload sections.
How to Encode and Decode Base64
Use the Base64 Encoder/Decoder to encode text or binary content to Base64 or decode a Base64 string back to its original content. The tool runs entirely in your browser — your data is never sent to a server. This matters when the content you are encoding is sensitive, such as API keys or credentials you need to inspect.
Base64 vs. URL Encoding
Base64 and URL encoding solve different problems. URL encoding (also called percent-encoding) converts special characters in URLs into a safe format for web use — for example, spaces become %20. Base64 converts binary data into ASCII for text-system compatibility. They are sometimes used together: the Base64url variant of Base64 is URL-safe (using - and _ instead of + and /), allowing Base64-encoded data to appear directly in URLs without further escaping. Use the URL Encoder for URL encoding tasks.