Base64 Encoding Explained: What It Is and When to Use It

BY TOOLS.FUN · MARCH 28, 2026 · 6 min read

Base64 encoding shows up everywhere in software development: embedded images in CSS, JSON Web Tokens, HTTP Basic authentication headers, email attachments, and binary data in JSON APIs. Yet many developers use it without fully understanding what it does — and, crucially, what it doesn't do. This guide explains Base64 from first principles.

Related tools: use our Hex Converter for hex-to-Base64 chains, URL Encoder for Base64url differences, JSON Formatter to read decoded JWT payloads, and AES Encryptor to understand the difference between encoding and encryption.

What is Encoding?

Encoding is the process of converting data from one format to another for compatibility or transport purposes. It is always reversible — the original data can be recovered by anyone who knows the encoding scheme. Encoding is not a security mechanism; it provides no confidentiality whatsoever.

This is distinct from encryption (which requires a key to reverse) and hashing (which is a one-way transformation). Confusing encoding with encryption is one of the most dangerous mistakes a developer can make.

Key point: Encoding is for compatibility, not security. Base64-encoded data is just as readable as the original to anyone who knows what Base64 is — which is everyone.

How Base64 Works

Binary data is a stream of bytes — values from 0 to 255. Some bytes are not safely transmissible over text-based systems (email protocols, HTTP headers, JSON strings) because they have special meaning or are invisible control characters. Base64 solves this by representing arbitrary binary data using only 64 printable ASCII characters.

The algorithm works in three-byte chunks:

Take 3 bytes (24 bits) of input data.
Split into four 6-bit groups.
Map each 6-bit value (0–63) to a character in the Base64 alphabet.

Because 3 bytes become 4 characters, Base64 encoding increases data size by approximately 33%. If the input length is not a multiple of 3, padding characters (=) are appended to make the output length a multiple of 4.

Input bytes: 77  97  110
Binary:      01001101  01100001  01101110
Groups:      010011 | 010110 | 000101 | 101110
Indices:        19      22       5       46
Base64:          T       W       F       u  → "TWFu"

The Base64 Alphabet

The standard Base64 alphabet consists of 64 characters:

Uppercase letters A–Z (indices 0–25)
Lowercase letters a–z (indices 26–51)
Digits 0–9 (indices 52–61)
+ (index 62) and / (index 63)
= as a padding character

Key point: The + and / characters in standard Base64 are problematic in URLs because they have special meaning in query strings. Always use Base64url encoding (which substitutes - and _) when embedding encoded data in URLs or filenames.

Common Uses of Base64

Data URIs — embed small images, fonts, or SVG directly in HTML or CSS without a separate HTTP request: src="data:image/png;base64,iVBORw0K..."

JSON Web Tokens (JWTs) — a JWT consists of three Base64url-encoded parts (header, payload, signature) separated by dots. The header and payload are readable by anyone; only the signature provides integrity.

HTTP Basic Authentication — credentials are sent as Authorization: Basic <base64(username:password)>. This is only safe over HTTPS — the encoding provides no protection over plain HTTP.

MIME email attachments — email protocols are text-based, so binary attachments (images, PDFs) are Base64-encoded before embedding in the email body.

Binary data in JSON/XML APIs — when an API needs to return binary content (a PDF, an image, a cryptographic key) inside a JSON response, Base64 encoding allows it to be represented as a string.

Base64 vs Base64url

Base64url is a variant defined in RFC 4648 that replaces + with - and / with _, and omits the = padding. This makes the output safe for use in URLs and filenames without percent-encoding. JWTs use Base64url. When in doubt about which variant to use, check whether the encoded string will appear in a URL.

Standard Base64:  "SGVsbG8+V29ybGQ="
Base64url:        "SGVsbG8-V29ybGQ"

Base64 is Not Encryption

This bears repeating: Base64 is not encryption, not obfuscation, and not a security measure. Decoding a Base64 string requires no key and no special knowledge — it's a standard algorithm built into every programming language. Storing passwords as Base64 is just as dangerous as storing them as plaintext. Sending sensitive data over HTTP as Base64 is just as insecure as sending it unencoded.

Key point: If you need to protect data, use encryption (AES, RSA) or hashing (bcrypt for passwords, SHA-256 for integrity). Base64 is only for format compatibility.

Decode Base64 Online

The Base64 Encoder / Decoder at Tools.Fun handles both standard Base64 and Base64url. Paste encoded text to decode it instantly, or encode any string or file for use in your application. It runs entirely in your browser — no data is ever sent to a server.

← Back