Base64 shows up in data URIs, JWTs, email attachments, and API payloads. It is widely used and just as widely misunderstood. Here is what it actually is and when reaching for it makes sense.
What Base64 is (and is not)
Base64 is an encoding, not encryption. It turns binary data into a string using 64 safe characters (A to Z, a to z, 0 to 9, plus + and /). The goal is to move binary safely through systems that expect text, such as JSON fields, URLs, or email headers.
Because it is reversible by anyone, Base64 provides no security. If you can read the string, you can decode it. Never treat Base64 as a way to hide secrets.
When to use it
- Embedding small assets. A tiny icon or font can be inlined as a
data:URI to save an HTTP request. - Carrying binary in text formats. Putting an image or file inside JSON or XML.
- Tokens and headers. JWTs and Basic Auth headers are Base64-encoded so they survive transport.
When to avoid it
Base64 makes data about 33% larger. That trade-off is fine for tiny payloads but works against you at scale:
- Do not inline large images as Base64. The page weight balloons and the asset cannot be cached separately. Serve the file normally instead.
- Do not use it to “compress” anything. It does the opposite.
Encode or decode in two steps
- Open Base64 Encode / Decode.
- Paste your text, choose encode or decode, and copy the result.
It runs in your browser, so even sensitive payloads stay on your device.
A note on URL-safe Base64
Standard Base64 uses + and /, which have special meaning in URLs. URL-safe Base64 swaps them for - and _. If a token fails to decode, check whether it is the URL-safe variant.
Related tools
- Decoding a token? The JWT Decoder reads the header and payload for you.
- Working with URLs? Use URL Encode / Decode.
- Formatting the JSON inside a payload? Try the JSON Formatter.
Base64 is a transport format, not a security tool. Use it for small binary-in-text needs, skip it for large assets, and decode anything suspicious to see what is really inside.