
2026-07-02
What Is Base64 Encoding and When Should You Actually Use It?
Base64 turns binary data into safe, plain text — it is not encryption. Learn how it works, why output is 33% bigger, and the 4 real use cases (plus 2 misuses).
Base64 is one of the most-met and most-misunderstood tools in web development. The short version: Base64 converts binary data into plain text using 64 safe characters — and it is absolutely not encryption. Anyone can decode it instantly. Here is how it works, where it belongs, and where it does not.
How Base64 works
Binary data is a stream of bytes, but many systems — JSON, XML, email, URLs — can only carry printable text safely. Base64 solves this by re-expressing every 3 bytes (24 bits) as 4 characters drawn from a 64-symbol alphabet: A-Z, a-z, 0-9, + and /, with = as padding.
Text: Hi!
Bytes: 01001000 01101001 00100001
6-bit: 010010 000110 100100 100001
Base64: SGkh
Because 3 bytes become 4 characters, Base64 output is always ~33% larger than the input. That overhead is the price of text-safety.
The 4 legitimate uses
- Data URIs — embedding small images directly in CSS or HTML (
data:image/png;base64,…) to skip an HTTP request. Convert any image with our Image to Base64 tool. - JSON payloads — JSON cannot hold raw bytes, so file uploads and binary fields in APIs travel as Base64 strings.
- Email attachments — SMTP is a text protocol from 1982; every attachment you have ever sent went as Base64 under the hood (MIME).
- JWT tokens — the header and payload of a JSON Web Token are Base64url-encoded JSON, which is why you can paste any JWT into a decoder and read it.
The 2 common misuses
- "Encrypting" secrets. Base64 provides zero secrecy — decoding takes one function call. A password stored as
cGFzc3dvcmQxMjM=is a password stored in plain text. For real protection you need actual encryption (AES) or hashing (SHA-256). - Encoding large files for storage. The 33% size penalty and loss of separate caching make Base64 a bad fit for anything beyond a few kilobytes.
Base64 vs encryption vs hashing
| Base64 | Encryption | Hashing | |
|---|---|---|---|
| Reversible? | Yes, by anyone | Yes, with the key | No |
| Purpose | Transport safety | Secrecy | Integrity / verification |
| Example | Data URIs, JWT | AES, TLS | SHA-256, password storage |
These three get confused constantly, and the confusion causes real vulnerabilities. If you remember one thing: encoding is a format change, not a lock.
Try it yourself
Paste anything into our Base64 Encoder/Decoder — it encodes and decodes instantly in your browser, with a swap button for chained conversions. Nothing is uploaded.
Frequently asked questions
Is Base64 encryption? No. It is a reversible text encoding with no key and no secrecy. Anyone who sees a Base64 string can decode it in milliseconds.
Why does Base64 end with = signs?
Padding. When the input length is not a multiple of 3 bytes, = characters fill the final 4-character block — one = for 2 leftover bytes, two == for 1.
What is Base64url?
A URL-safe variant that swaps + for - and / for _, so encoded data can live in URLs and filenames without percent-encoding. JWTs use it.
Why does my decoded Base64 look like garbage? The original data was probably binary (an image, a PDF), not text. The decoding worked — the bytes just are not human-readable characters.