You've seen it before — a long string of letters, numbers, and the occasional +, /, and = sign. It looks encrypted. It's not. It's Base64, and understanding what it actually does will save you from a lot of confusion (and occasional security mistakes).
What Is Base64?
Base64 is a way to represent binary data using only printable ASCII characters. It takes any data — a file, an image, a string — and converts it into a string made up of just 64 characters: A–Z, a–z, 0–9, +, and /, with = used for padding.
Why 64? Because 64 is a power of 2 (2⁶), which makes the math clean. Every 3 bytes of input becomes 4 Base64 characters. That means Base64-encoded data is always about 33% larger than the original.
A Quick Example
The string Hello in Base64:
Hello → SGVsbG8=And decoded back:
SGVsbG8= → HelloYou can verify this yourself using the Base64 Encoder/Decoder — paste either side and convert instantly.
Why Does Base64 Exist?
Many systems were designed to handle text — not arbitrary binary data. Email protocols, HTTP headers, JSON, XML — they all have characters that carry special meaning or that can't reliably transport raw binary bytes.
Base64 solves this by converting binary into a safe, universally printable text format that can pass through any text-based system without corruption.
When to Use Base64
| Use Case | Example |
|---|---|
| Embedding images in HTML/CSS | src="data:image/png;base64,..." |
| Sending binary data in JSON | File upload payloads in REST APIs |
| HTTP Basic Authentication | Authorization: Basic dXNlcjpwYXNz |
| Email attachments (MIME) | How your email client sends files |
| Storing binary data in databases | Images, certificates, keys as text fields |
| JWT tokens | The header and payload sections are Base64url encoded |
When NOT to Use Base64
- To hide passwords or secrets — it's trivially reversible. Use proper hashing (bcrypt, Argon2) for passwords, and encryption (AES) for secrets that need to be recovered.
- To compress data — Base64 makes data larger, not smaller.
- For large files in web requests — embedding large images as Base64 data URIs bloats your HTML and can't be cached separately by the browser. Use regular image URLs instead.
Base64 vs URL-Safe Base64
Standard Base64 uses + and /, which have special meanings in URLs. URL-safe Base64 (also called Base64url) replaces them with - and _, making the output safe to use in URLs and filenames without encoding.
You'll see Base64url specifically in JWT tokens and OAuth flows. DevToolShack has both — the standard Base64 Encoder/Decoder and a dedicated URL-Safe Base64 tool.
How to Use Base64 in Code
In JavaScript (browser):
// Encode
const encoded = btoa("Hello, World!");
// "SGVsbG8sIFdvcmxkIQ=="
// Decode
const decoded = atob("SGVsbG8sIFdvcmxkIQ==");
// "Hello, World!"In Node.js:
// Encode
const encoded = Buffer.from("Hello, World!").toString("base64");
// Decode
const decoded = Buffer.from("SGVsbG8sIFdvcmxkIQ==", "base64").toString("utf8");In Python:
import base64
# Encode
encoded = base64.b64encode(b"Hello, World!").decode("utf-8")
# 'SGVsbG8sIFdvcmxkIQ=='
# Decode
decoded = base64.b64decode("SGVsbG8sIFdvcmxkIQ==").decode("utf-8")
# 'Hello, World!'Reading Base64 in HTTP Headers
HTTP Basic Auth sends credentials as username:password encoded in Base64:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=Decoding dXNlcm5hbWU6cGFzc3dvcmQ= gives you username:password — in plain text. This is why Basic Auth must always be used over HTTPS. The Base64 encoding does absolutely nothing to protect the credentials from someone who can intercept the request.
The Padding Characters (=)
Base64 works in groups of 3 input bytes → 4 output characters. If your input isn't a multiple of 3 bytes, the output is padded with = signs to make the length a multiple of 4. You'll see one or two = signs at the end of a Base64 string — never more than two.
Some implementations omit the padding (especially URL-safe Base64). Both are valid; most decoders handle both variants automatically.