Base64 Guide: Encoding, Decoding & Common Pitfalls
Base64 Guide: Encoding, Decoding & Common Pitfalls
Base64 is everywhere — email attachments, PDFs in APIs, token signatures, image
data: URIs, and basic auth headers all rely on it. Yet it is one of the most
misunderstood encodings: developers constantly assume it is encryption, or that
it makes data smaller. This guide clears that up.
Use our Base64 encoder/decoder to try every example below — it runs entirely in your browser.
What Base64 Actually Does
Base64 is a binary-to-text encoding. It takes arbitrary bytes (which may include unprintable characters) and represents them using only 64 safe ASCII characters:
A-Z a-z 0-9 + /
plus = for padding. It does not compress, and it does not encrypt.
The trick: 3 input bytes = 24 bits = four 6-bit groups, and each 6-bit group maps to one of the 64 characters. That is why Base64 output is always ~33% larger than the input:
3 bytes → 4 Base64 characters
Why Base64 Exists
Many transports were designed for text, not binary:
- Early email (SMTP) was 7-bit ASCII only.
- URLs and headers cannot contain arbitrary bytes.
- Some databases or config formats choke on NUL bytes or control characters.
Base64 lets you carry binary data safely through those text-only channels. It is a transport encoding, not a security control.
Base64 Is Not Encryption
This is the #1 confusion. Base64 is fully reversible with no key. Anyone who has the string can decode it instantly.
encoded: SGVsbG8= → decoded: Hello
If you need confidentiality, use AES, not Base64. Base64 often wraps encrypted bytes so they can travel as text, but the encoding itself protects nothing.
URL-Safe Base64
The standard alphabet uses + and /, which are problematic in URLs (+ means
space, / is a path separator). URL-safe Base64 swaps them:
| Standard | URL-safe |
|---|---|
+ | - |
/ | _ |
Padding = is usually dropped in URL-safe variants because = is also special in
query strings. Our tool has a URL-safe mode so you can paste tokens like JWT
payloads directly.
Base64 vs Base58 / Base62
- Base62 uses
0-9A-Za-z(no+,/,=) — compact and URL-friendly. - Base58 (used by Bitcoin) drops easily-confused chars:
0/O,I/l, and does not pad. Great for human-typed keys.
Base64 is older and more universal; Base58/Base62 optimize for copy-paste safety and shorter strings in specific ecosystems.
Common Pitfalls
- "It will shrink my file." No — it grows by ~33%.
- "It hides my password." No — it is encoding, not encryption.
- Newline padding errors. Encoders that insert
\nevery 76 chars (MIME/PEM) break strict decoders; strip whitespace first. - Wrong alphabet. Decoding URL-safe text with the standard alphabet fails on
-and_. - Character encoding mismatch. Base64 encodes bytes. Encoding the string
caféas UTF-8 vs Latin-1 produces different Base64. Always know your source encoding.
Code Examples
JavaScript (Browser / Node)
// Encode text
btoa("Hello"); // "SGVsbG8="
// Decode text
atob("SGVsbG8="); // "Hello"
// Encode UTF-8 safely (handles é, 中文, emojis)
btoa(unescape(encodeURIComponent("café")));
Python
import base64
# Encode bytes
base64.b64encode(b"Hello") # b'SGVsbG8='
# Decode bytes
base64.b64decode(b"SGVsbG8=") # b'Hello'
# URL-safe variant
base64.urlsafe_b64encode(b"Hello") # b'SGVsbG8='
Note:
btoa/atobwork on Latin-1 bytes only. For Unicode text, encode to UTF-8 first (see theencodeURIComponenttrick above).
Related Tools
- Encode or decode any blob with the Base64 tool.
- Generate hashes for integrity checks with the Hash Generator.
- Inspect JWT structure with the JWT Parser.
- Test URL encoding behavior with the URL Encoder.
When to Reach for Base64
Use it when a transport, store, or protocol expects text but you have bytes: embedding a small image in CSS, attaching a file to a JSON API, or signing a token. Do not use it to protect data, and do not use it to save space.