Want to learn more?
Learn the technical details of Base64 encoding, how it converts binary data to ASCII text, and why it's fundamental to modern web applications.
Read the guideBase64 encoder and decoder
Encode text to Base64 and decode Base64 back to text, instantly and in your browser. Nothing is uploaded — the conversion happens locally — so you can safely work with tokens, keys, or any sensitive string.
What Base64 is for
Base64 represents binary data using only 64 plain ASCII characters, so it can travel safely through systems built for text: email attachments, JSON and XML payloads, data URLs in CSS or HTML, JWT tokens, and HTTP headers. It is an encoding, not encryption — anyone can decode it — so it protects data integrity in transit, not secrecy. Never use Base64 to hide passwords or secrets.
Encoding inflates size
Base64 turns every 3 bytes into 4 characters, so the encoded result is about 33 percent larger than the original. That is the cost of making binary data safe for text-only channels. It is also why large images embedded as Base64 data URLs bloat a page and should be used sparingly.
Common uses
Embed a small icon directly in CSS as a data URL, decode the payload of a JWT to inspect its claims, or encode credentials for a Basic Auth header. To inspect a decoded JWT payload, pair this with the JSON formatter; for URL-safe text, see the URL encoder.
Building Secure Data Handling?
Our development team implements secure encoding, encryption, and data transformation patterns.
What Is Base64 Encoding
Base64 encoding converts binary data into a text-safe ASCII string format using a 64-character alphabet (A-Z, a-z, 0-9, +, /). This encoding allows binary content—images, files, cryptographic keys, and arbitrary byte sequences—to be transmitted through text-based systems like email (MIME), JSON APIs, HTML data URIs, and HTTP headers that cannot handle raw binary data.
Base64 is not encryption. It provides no security whatsoever—any Base64 string can be decoded instantly by anyone. Its purpose is purely representational: converting binary to text and back without data loss. The encoding increases data size by approximately 33% (every 3 bytes of input become 4 bytes of output), which is the trade-off for universal text compatibility.
How Base64 Encoding Works
Base64 converts data in 3-byte (24-bit) groups:
- Take 3 bytes of input (24 bits total)
- Split into 4 groups of 6 bits each
- Map each 6-bit value to the Base64 alphabet (A=0, B=1, ..., Z=25, a=26, ..., z=51, 0=52, ..., 9=61, +=62, /=63)
- Pad with = if the input isn't a multiple of 3 bytes
| Input Bytes | Output Chars | Padding |
|---|---|---|
| 3 | 4 | None |
| 2 | 3 + = | One = |
| 1 | 2 + == | Two == |
Example: "Hi" (2 bytes: 0x48 0x69)
- Binary: 01001000 01101001
- Split into 6-bit groups: 010010 000110 1001(00)
- Base64 values: 18, 6, 36 → S, G, k
- With padding: SGk=
Variants:
- Standard Base64: Uses + and / (RFC 4648)
- URL-safe Base64: Uses - and _ instead (safe in URLs without percent-encoding)
- Base64 without padding: Omits trailing = characters (used in JWTs)
Common Use Cases
- Data URIs: Embed images directly in HTML/CSS as
data:image/png;base64,... - Email attachments: MIME encoding converts binary attachments to Base64 for email transport
- API payloads: Transmit binary data (files, images) within JSON request/response bodies
- Authentication headers: HTTP Basic Auth encodes
username:passwordin Base64 - Cryptographic values: Encode keys, certificates, and hashes in text-safe format for configuration files
Best Practices
- Never use Base64 as a security measure — It is trivially reversible; it provides encoding, not encryption
- Use URL-safe Base64 for URLs and filenames — The standard + and / characters cause issues in URLs and file systems
- Consider the 33% size overhead — Base64 increases data size by one-third; for large files, consider binary transfer instead
- Strip padding when optional — JWT tokens and some APIs use unpadded Base64; know your consumer's requirements
- Validate before decoding — Check for valid Base64 characters and correct padding to avoid decoding errors
References & Citations
- Internet Engineering Task Force (IETF). (2006). The Base16, Base32, and Base64 Data Encodings (RFC 4648). Retrieved from https://datatracker.ietf.org/doc/html/rfc4648 (accessed January 2025)
- IETF. (1996). Multipurpose Internet Mail Extensions (MIME) Part One. Retrieved from https://datatracker.ietf.org/doc/html/rfc2045 (accessed January 2025)
- Mozilla Developer Network. (2024). Data URLs - HTTP | MDN. Retrieved from https://developer.mozilla.org/en-US/docs/Web/HTTP/Basics_of_HTTP/Data_URLs (accessed January 2025)
Note: These citations are provided for informational and educational purposes. Always verify information with the original sources and consult with qualified professionals for specific advice related to your situation.
Key Security Terms
Understand the essential concepts behind this tool
Frequently Asked Questions
Common questions about the Base64 Encoder/Decoder
What is Base64 encoding?
Base64 encoding converts binary data to ASCII text using 64 printable characters (A-Z, a-z, 0-9, +, /).
Used for embedding images in HTML/CSS, email attachments (MIME), encoding credentials in HTTP headers, and storing binary data in JSON/XML.
Increases size by ~33%.
Not encryption - easily reversible.
Common in APIs, web development, and data serialization.
Use Base64 when transmitting binary data over text-only channels:
email attachments (MIME),
data URIs in HTML/CSS,
JSON/XML APIs requiring binary data,
HTTP Basic Authentication headers,
encoding certificates and keys,
storing binary in databases without BLOB support.
Avoid for large files (use multipart/form-data) or when encryption is needed (use proper cryptography).
No. Base64 is encoding, not encryption.
Anyone can decode it instantly.
Never use Base64 alone for sensitive data.
It provides no confidentiality, integrity, or authentication.
Use encryption (AES, RSA) for security, hashing (SHA-256) for integrity, or HMAC for authentication.
Base64 is only for data transport compatibility, not security.
What is the padding in Base64?
Base64 padding uses "=" characters to ensure output length is a multiple of 4.
Needed because Base64 encodes 3 bytes into 4 characters.
If input has 1-2 remaining bytes, padding fills the gap:
1 byte remaining = "==" padding,
2 bytes = "=" padding.
URL-safe variants often omit padding.
Required by RFC 4648 standard implementations.
What is URL-safe Base64?
URL-safe Base64 (RFC 4648) replaces characters that have special meaning in URLs:
"+" becomes "-",
"/" becomes "_",
and padding "=" is often omitted.
Used in JWT tokens, URL parameters, and filenames.
Standard Base64 breaks URLs because "+/" are reserved.
Both variants encode/decode identically except character substitution.
Also called base64url.
Why does Base64 increase file size?
Base64 increases size by approximately 33% because it encodes 3 bytes (24 bits) into 4 characters (32 bits).
Converts 8-bit bytes to 6-bit chunks (64 possible values).
Math:
3 bytes = 24 bits / 6 bits per character = 4 characters.
Plus padding.
Trade-off for text compatibility.
Avoid for large files unless necessary.
Yes.
Common for small images (<10KB) in CSS/HTML as data URIs:
data:image/png;base64,iVBORw0KG...
Reduces HTTP requests but increases page size 33% and prevents caching.
Good for icons, small logos, embedded SVG.
Bad for photos or large images.
Modern browsers support all formats.
Use image compression first.
Common errors:
Invalid character (not in A-Z, a-z, 0-9, +, /, =),
incorrect padding (wrong number of "="),
truncated input,
wrong variant (standard vs URL-safe),
encoding issues (UTF-8 vs ASCII).
Tools auto-detect and fix most errors.
Check for whitespace, newlines in encoded strings.
Always validate decoded output format.