Base64 encoding explained — what it is and when to use it

Base64 appears everywhere in web development — API tokens, email attachments, data URIs, JWT tokens — yet many developers use it without understanding what it actually does. This guide explains it clearly.

What is Base64?

Base64 is an encoding scheme that converts binary data into a string of 64 printable ASCII characters (A–Z, a–z, 0–9, +, /). It was designed to safely transmit binary data over text-based systems like email (SMTP) and HTTP headers that were not designed to handle raw bytes.

The name "Base64" comes from the fact that it uses 64 distinct characters to represent data. Each Base64 character encodes 6 bits of data (2⁶ = 64).

How does Base64 encoding work?

1. Take the binary input (e.g., the bytes of an image or a string).
2. Group the bytes into 3-byte chunks (24 bits).
3. Split each 24-bit chunk into four 6-bit groups.
4. Map each 6-bit group to one of the 64 Base64 characters.
5. Pad with = characters if the input length is not divisible by 3.

Example: the string Hi! encodes to SGkh in Base64. The encoded output is always about 33% larger than the original.

Common use cases

• API authentication — Basic Auth sends credentials as username:password encoded in Base64 in the Authorization header.
• JWT tokens — The header and payload sections of a JSON Web Token are Base64url-encoded (a variant with - and _ instead of + and /).
• Data URIs — Embedding small images directly in HTML or CSS: src="data:image/png;base64,iVBORw..."
• Email attachments — MIME protocol uses Base64 to encode binary attachments so they survive transit through SMTP servers.
• Storing binary in JSON — JSON is text-only, so binary data (files, images, keys) is often Base64-encoded before being stored in JSON fields.

Base64 is NOT encryption

This is the most important thing to understand: Base64 is reversible by anyone, instantly, with no key required. It provides zero security. Never use Base64 to "hide" passwords, API secrets, or sensitive data.

A common mistake is to see a Base64 string and assume it is encrypted. It is not — it is just encoded for safe transport. Anyone can decode it in seconds.

For actual security, use proper encryption (AES-256) or hashing (SHA-256, bcrypt for passwords).

Base64 vs Base64url

Standard Base64 uses + and / which are special characters in URLs. Base64url replaces them with - and _ to make the output safe for use in URLs and HTTP headers without percent-encoding. JWT tokens use Base64url.

How to encode and decode in your browser

1. Open ToolBite's Base64 encoder & decoder.
2. Paste your text or string into the input box.
3. Click Encode to get the Base64 output, or paste a Base64 string and click Decode to get the original.
4. Copy the result — it never leaves your browser tab.

Quick reference

• Base64 output is ~33% larger than the input.
• All Base64 strings end with 0, 1, or 2 padding = characters.
• Base64 ≠ encryption — never use it to secure sensitive data.
• JWT tokens use Base64url (not standard Base64).
• Decoding in JavaScript: atob(str). Encoding: btoa(str).