Base64 explained: what it is, what it isn't, and when to use it

# What it is

Base64 is an encoding that turns arbitrary bytes into 64 printable ASCII characters: A–Z, a–z, 0–9, plus + and / (with = for padding).

It exists because a lot of older protocols — email (SMTP), URLs, JSON — assume text, not raw bytes. Base64 is the universal "make my bytes safe to put in a string" tool.

# What it isn't

<div class="callout callout-warning" role="note"><div class="callout-title">Warning</div><div class="callout-body"><p><strong>Base64 is not encryption.</strong> Anyone can decode it back to the original bytes in a fraction of a second. If you see Base64 in a config file, treat its contents as plaintext.</p></div></div>

SGVsbG8gV29ybGQ=  →  Hello World

That's it. No password. No magic. Just an alphabet swap.

# Where you'll see it

• Data URLs: data:image/png;base64,iVBORw0KG… embeds a tiny image right in your HTML or CSS.
• JWTs: each of the three parts is a Base64URL-encoded JSON object. See our JWT guide.
• Email attachments: SMTP can only handle 7-bit ASCII; binary attachments are Base64-encoded.
• TLS certificates: PEM files are Base64 wrapped between -----BEGIN…----- markers.
• OAuth client secrets in headers: Authorization: Basic followed by Base64.

# Base64 vs Base64URL

Standard Base64 uses + and / — but those have meaning in URLs. Base64URL swaps them for - and _ and drops the trailing = padding. JWTs use Base64URL.

# When to reach for it

• Embedding small binary blobs in text-based formats.
• Transmitting bytes over a text-only channel.
• Encoding a hash digest for display.

# When not to

• Storing user data — adds 33% size overhead and zero security.
• "Hiding" passwords or API keys — it hides nothing.
• General compression — it's the opposite of compression.

# Try it

Encode and decode anything in your browser with our Base64 tool, or peek inside a JWT with the JWT Decoder.

# Related tools

• Base64 Encode / Decode
• URL Encode / Decode
• JWT Decoder