Base64 is a way of turning binary data into plain text. The name comes from the fact that it uses exactly 64 different characters: uppercase A through Z (26), lowercase a through z (another 26), digits 0 through 9 (10 more), and the symbols plus and slash (the final 2). That is 64 total, which is not a coincidence. Sixty-four is two to the power of six, which means each Base64 character represents exactly six bits of information.
The conversion process is methodical. Base64 takes your input and processes it three bytes at a time. Three bytes is 24 bits. It splits those 24 bits into four groups of six bits each. Each six-bit group becomes a number between 0 and 63, and that number picks a character from the Base64 alphabet. Here is the word "Man" becoming "TWFu":
If your input is not an exact multiple of three bytes, Base64 adds padding. One leftover byte gets two output characters plus two equals signs. Two leftover bytes get three output characters plus one equals sign. The padding tells the decoder exactly how many bytes the original data contained. This is why every valid Base64 string has a length that is a multiple of four.
A data URI embeds a file directly inside a URL: <img src="data:image/png;base64,iVBORw...">. This saves an HTTP request for small assets like icons. The tradeoff is that the encoded data is about 33% larger than the original file, so for anything bigger than a few kilobytes, a separate file with proper caching is more efficient.
Email was designed in the 1980s for plain text. SMTP cannot handle raw binary data. MIME solved this by encoding attachments as Base64. Every PDF, image, or document you email is Base64 encoded in transit. The email header Content-Transfer-Encoding: base64 is how the receiving client knows to decode it.
REST APIs send data as JSON, which is a text format. When an API needs to return a generated PDF, a thumbnail, or a digital signature, it Base64 encodes the binary data and embeds it as a string inside the JSON response. The client decodes it back after receiving. Stripe, AWS, and Google Cloud APIs all use this pattern. If you paste an API response into a JSON formatter like this one, you will often see long Base64 strings.
The Authorization: Basic header carries credentials as Base64(username:password). This is purely a format conversion so the colon and special characters in passwords do not break HTTP header parsing. It provides zero security and must always be paired with HTTPS.
This distinction trips up beginners constantly, and it is worth stating clearly. Encoding and encryption are completely different operations that serve completely different purposes.
Encoding changes the format of data. It takes something and represents it in a different way, without any secrecy involved. Anyone with a decoder can reverse it in microseconds. Base64, URL encoding, and hex encoding are all encoding. They exist to make data compatible with systems that have text-only constraints. There is no key, no password, no protection.
Encryption scrambles data so that only someone with a secret key can read it. AES-256, ChaCha20, and RSA are encryption. Without the key, the data is mathematically inaccessible. With the key, it is recovered perfectly.
Hashing is a third category that is often confused with both. SHA-256 and bcrypt are hashing algorithms. They take input and produce a fixed-size output that cannot be reversed back to the original. You can verify that a password matches a stored hash, but you cannot decode the hash to recover the password.
Real talk: if you store passwords as Base64, you are storing them in plaintext. If you "protect" an API key by Base64 encoding it, you have not protected anything. If a website tells you your data is "encrypted with Base64," they either do not understand what encryption is or they are misleading you. Base64 is a format conversion. It is not a security measure. Never use it as one.
Base64 always makes data larger. Three input bytes produce four output characters, and each output character is stored as a full 8-bit byte. The math is 4/3, which is approximately 1.33 โ a 33% increase over the original binary size. A 300 KB image becomes roughly 400 KB when Base64 encoded. A 1 MB file becomes 1.33 MB.
Whether this overhead matters depends on the context. For a 128-byte API key, encoding it to 172 characters is completely harmless. For a 10 MB PDF attachment in an email, an extra 3.3 MB is noticeable but unavoidable under the constraints of the email protocol. For embedding images in HTML via data URIs, the overhead combined with the loss of browser caching usually makes it the wrong choice for anything larger than a 1 KB icon. The general rule is to only use Base64 when you genuinely need text-safe binary representation. When you can transmit or store the raw binary data instead, do that.
The standard Base64 characters plus and slash cause problems in URLs. A plus sign represents a space in URL query strings. A slash collides with the path separator. If you encode a binary token and put it in a URL query parameter, the plus signs will be interpreted as spaces and the token will become corrupted.
The fix is URL-safe Base64, formally defined in RFC 4648. It replaces plus with minus, slash with underscore, and often omits the trailing equals sign padding. This variant is used in JSON Web Tokens (the middle section of a JWT is Base64url-encoded JSON), OAuth 2.0 state parameters, and any scenario where encoded data appears in a URL. If you use our Base64 encoder, it uses the standard alphabet. For URL-safe encoding, simply replace + with - and / with _ in the output, and strip any trailing = characters.
A practical tip: if you are encoding data that will go into a URL, check whether your programming language has a dedicated URL-safe Base64 function. Most do. Python has base64.urlsafe_b64encode(). JavaScript requires a manual replacement. Go has base64.URLEncoding. Using the correct variant from the start saves you from debugging mysterious token corruption later.
Paste any text and encode or decode it instantly. Free, no signup, everything runs in your browser.
Open Base64 Encoder