Base64 Isn't Encryption — Here's What It Actually Does
Sooner or later every developer runs into a wall of text that looks like gibberish — something like SGVsbG8gd29ybGQ= — and learns the word "Base64." It's one of those building blocks that's everywhere and rarely explained properly. So let's fix that.
The problem it solves
Some systems were built to handle plain text and nothing else — older email protocols are the classic example. Hand them raw binary data, like an image or a file, and things break. Base64 is a translation layer: it takes any data and re-expresses it using only a safe set of 64 characters (A–Z, a–z, 0–9, plus two extras). The result is text that can travel through text-only channels untouched.
What it is not
This is the part people get wrong, so it's worth being blunt: Base64 is not encryption. It scrambles nothing and hides nothing. Anyone can decode it back to the original in one step, with no key and no effort. If you ever see a password or secret "protected" by Base64, treat that as a security bug, not a safeguard. It's an encoding, like writing the same message in a different alphabet.
Where you'll actually meet it
- Data URIs — small images embedded straight into CSS or HTML as
data:image/png;base64,..., saving a network request. - Email attachments — the original reason it exists.
- JSON Web Tokens — the segments of a JWT are Base64-encoded (which is exactly why you should never put secrets in them unencrypted).
- Basic auth headers — credentials encoded for transport, protected by HTTPS rather than by the encoding itself.
One small cost
Base64 makes data roughly a third larger, because it's spending extra characters to stay text-safe. That's a fine trade for a tiny icon in your CSS; it's a poor one for a large file you could just upload normally. Reach for it when you need text-safe transport, not as a default.
Need to encode or decode something right now? Our Base64 Encoder & Decoder does both instantly, in your browser.
Found this useful? Browse all our free online tools or read more on the blog.