Common Base64 Uses
- Data URIs for embedding images in HTML/CSS
- JWT (JSON Web Token) authentication
- Email MIME attachments
- API Basic Authentication headers
- Embedding binary data in JSON
Base64 Character Set
A–Z (26 characters)
a–z (26 characters)
0–9 (10 characters)
+ and / (2 characters)
= padding (1 or 2 at end)
URL-safe: replaces + → - and / → _
How to Use This Base64 Encoder and Decoder
Select the mode you need using the Encode or Decode tab at the top of the tool. In Encode mode, type or paste any plain text into the input area and the Base64 output appears instantly as you type. In Decode mode, paste a Base64 string and the decoded plain text appears in the output area immediately. Two options let you customize the output: enable URL-safe Base64 to replace + with - and / with _, which is required for JWTs and URL query parameters; enable Single line output to remove the MIME-standard line breaks inserted every 76 characters. Once you have your result, click Copy Output to send it to your clipboard. Clear All resets both the input and output areas so you can start fresh.
What Is Base64 Encoding and Why Was It Created?
Base64 encoding was invented to solve a specific problem: transmitting binary data through systems designed only for 7-bit ASCII text. In the early days of email, the SMTP protocol could only handle printable ASCII characters. Sending a binary file — an image, an archive, an executable — meant the file would arrive corrupted because systems would strip or alter bytes outside the safe range. Base64 was formalized in the MIME specification (RFC 989, published in 1987) as a reliable way to represent any binary data using only 64 characters drawn from the printable ASCII range. The name comes directly from this character count: 64 distinct characters that every ASCII-compatible system handles identically. Today, Base64 is used far beyond email — anywhere binary data must travel through a text-only channel.
How Base64 Works — The Encoding Process Explained
Base64 encoding works by grouping input bytes into sets of three (24 bits total) and then splitting each group into four 6-bit values. Each 6-bit value maps to one of 64 characters: uppercase A through Z map to values 0–25, lowercase a through z map to 26–51, digits 0–9 map to 52–61, + maps to 62, and / maps to 63. If the input is not a multiple of 3 bytes, padding characters (=) are appended to bring the output to a multiple of 4 characters. This is why every Base64 string has a length that is a multiple of 4. A 3-byte input always produces exactly 4 output characters, so a 100-byte input produces approximately 136 Base64 characters — a roughly 33% size increase, which is the inherent overhead of the encoding.
Common Uses for Base64 in Web Development
Web developers encounter Base64 in several practical contexts every day. Data URIs embed images directly into HTML or CSS without a separate file request: data:image/png;base64,iVBORw0KGgo... is a Base64-encoded PNG inline in a stylesheet. JWT tokens use URL-safe Base64 to encode their header and payload sections — the three dot-separated sections of a JWT are each Base64url-encoded JSON objects. HTTP Basic Authentication encodes credentials as Authorization: Basic dXNlcjpwYXNz, where the value is the Base64 encoding of username:password. Web fonts are sometimes embedded in CSS files as Base64 to eliminate a network request. Binary payloads in JSON APIs — such as file uploads or cryptographic signatures — are routinely Base64-encoded since JSON natively only supports text strings.
URL-Safe Base64 vs Standard Base64
Standard Base64 uses two characters that cause problems in URLs: + (which means "space" in URL-encoded form) and / (which means "path separator"). If a Base64 string containing these characters appears in a URL query parameter, HTTP clients and servers may misinterpret or truncate it. URL-safe Base64 — defined in RFC 4648, Section 5 — fixes this by substituting - (hyphen) for + and _ (underscore) for /. These replacement characters have no special meaning in URLs and require no percent-encoding. Both variants produce the same decoded output; the only difference is the two substituted characters. When working with JWTs, OAuth access tokens, or any Base64 data that will appear in a URL path or query string, always use URL-safe Base64. This tool's URL-safe option handles the substitution automatically in both encode and decode directions.
Base64 in JWTs and API Authentication
JSON Web Tokens rely on Base64url encoding throughout their structure. A JWT consists of three dot-separated sections: header.payload.signature. Both the header and payload are Base64url-encoded JSON objects, making them readable by anyone who decodes them — which is an important security consideration. The signature section is a cryptographic hash of the header and payload, Base64url-encoded. Because the header and payload are only encoded, not encrypted, JWTs should never contain sensitive secrets like passwords; they should be treated as signed but public claims. For HTTP Basic Authentication, credentials are encoded with standard (not URL-safe) Base64: the string username:password is encoded and placed in the Authorization header as Basic [encoded-value]. Remember: Base64 is encoding, not encryption. It provides no security on its own and is trivially reversible by anyone who can read it.
When Not to Use Base64 Encoding
Base64 is the right tool only when you need to represent binary data as safe ASCII text. There are several scenarios where it is the wrong choice. Never use Base64 as a security measure for passwords, API keys, or sensitive data — it is completely reversible and offers no protection whatsoever. If someone intercepts or reads Base64-encoded credentials, they can decode them in seconds. For large file transfers, Base64's 33% size overhead becomes significant: a 10 MB file becomes approximately 13.5 MB when Base64-encoded, adding latency and bandwidth cost. Use proper binary file upload APIs (multipart/form-data) instead of encoding files to Base64 in JSON requests. For storing passwords, use a proper one-way hashing algorithm like bcrypt, Argon2, or scrypt — never Base64. In short, use Base64 when a text-only channel requires it, and choose the right tool for security and large binary transfers.
Related Articles
Expert guides and educational resources to help you master the math.
Base64 Encoding Explained: What It Is, How It Works, and When to Use It
Base64 shows up in JWTs, data URIs, API headers, and email attachments — but what actually is it? Here's a clear explanation of how Base64 encoding works and when you should (and shouldn't) use it.