Base64 is a binary-to-text encoding that represents binary data using 64 ASCII characters (A–Z, a–z, 0–9, +, /). It lets binary data — images, files, credentials — travel safely through text-only channels like JSON, HTML, and HTTP headers. It is encoding, not encryption, and provides no security.
Quick answer
Base64 encoding converts binary data into 64 safe ASCII characters so it can travel through text-only channels like JSON, HTML, and HTTP headers. It is encoding, not encryption — it provides no security. JSON Dev Tools encodes and decodes Base64 entirely in your browser, so your data is never uploaded to a server.
Key takeaways
- Base64 is reversible and offers no confidentiality — never use it to "hide" secrets.
- It adds ~33% size — 3 bytes become 4 characters.
- Use URL-safe Base64 (
-and_) when embedding in URLs. - 100% private — encoding/decoding runs client-side; nothing you paste is uploaded.
How does Base64 encoding work?
Base64 takes binary data 3 bytes (24 bits) at a time and splits those 24 bits into four 6-bit groups. Each 6-bit group (a value from 0–63) maps to one character in the Base64 alphabet. Because 3 input bytes always become 4 output characters, the result is text that any system can store or transmit without corrupting the original bytes.
Why does Base64 use = padding?
When the input isn't an exact multiple of 3 bytes, Base64 pads the output so its length stays a multiple of 4 characters — this tells the decoder where the data ends. One = is added when 2 bytes remain, and two == when 1 byte remains. Input that's already a multiple of 3 bytes has no padding.
Does Base64 increase data size?
Yes. Every 3 bytes of input become 4 characters of output, so Base64 is about 33% larger than the original data (before padding). That overhead is the price of making binary data safe to send as text — which is why you minify or compress payloads where size matters.
When should you use Base64?
| Use case | Why Base64 |
|---|---|
| Data URIs (inline images in HTML/CSS) | Embeds image bytes directly in text markup |
| HTTP Basic Auth headers | Encodes user:password into an ASCII header value |
| JWT tokens | Header and payload are Base64URL-encoded JSON |
| Email attachments (MIME) | Sends binary files over text-only SMTP |
| Binary blobs inside JSON/XML | Stores bytes in formats that only allow text |
Base64 vs encryption
Base64 is not a security measure. Anyone can decode a Base64 string back to the original in one step, with no key — this very page does it. Never use Base64 to "hide" passwords, API keys, or personal data. When you need confidentiality, use real encryption such as AES; Base64 only makes already-encrypted bytes safe to transmit as text.
Standard vs URL-safe Base64
Standard Base64 (RFC 4648) uses + and /, which are reserved characters in URLs. RFC 4648 §5 defines a URL-safe alphabet that swaps +→- and /→_ (and often drops padding), so the result can sit in a URL or filename without escaping. To percent-encode general text for a URL instead, use the URL Encoder.
Example
Encoding the text Man (3 bytes) produces TWFu — exactly 4 characters, no padding. Encoding Ma (2 bytes) produces TWE= — one padding character because the input wasn't a multiple of 3.
Need the reverse for URLs? Use the URL Encoder & Decoder. Decoding a JWT? Try the JWT Decoder, which Base64URL-decodes each part for you.
Frequently Asked Questions
What is Base64 encoding used for?
Base64 encodes binary data into ASCII text so it can travel safely through systems built for text — email (MIME), JSON and XML payloads, HTTP Basic Auth headers, data URIs for inline images, and JWT tokens. It is used whenever binary bytes need to survive a text-only channel intact.
Does Base64 encoding encrypt my data?
No. Base64 is encoding, not encryption — it provides zero security. Anyone can decode a Base64 string back to the original in one step, with no key. Never use Base64 to hide passwords, tokens, or sensitive data; use real encryption (such as AES) for that.
Why does Base64 use "=" padding?
Padding makes the encoded output a multiple of 4 characters, which tells the decoder where the input ends. It is added only when the input length is not a multiple of 3 bytes: one = when 2 bytes remain, and two == when 1 byte remains. If the input is already a multiple of 3 bytes, there is no padding.
Does Base64 increase data size?
Yes. Base64 represents every 3 bytes of input as 4 ASCII characters, so the encoded output is about 33% larger than the original data, before any padding. This is the trade-off for making binary data safe to transmit as text.
Is Base64 safe to use in URLs?
Not standard Base64 — its +, /, and = characters are reserved or unsafe in URLs and query strings. RFC 4648 section 5 defines a URL-safe alphabet that replaces + with - and / with _ (and often omits padding). For encoding general text into a URL, use percent-encoding via a URL encoder instead.
What characters does Base64 use?
Standard Base64 (RFC 4648) uses 64 characters: the uppercase letters A–Z, the lowercase letters a–z, the digits 0–9, plus + and /. The = character is used only for padding and is not part of the 64-character data alphabet.
Is my data sent to a server?
No. Encoding and decoding happen entirely in your browser with JavaScript. Your data is never uploaded or transmitted, which makes this safe for encoding tokens, credentials, and other sensitive values.
Last updated: May 2026