CodeToolProCodeToolPro
GitHub
Encoders / Decoders·9 min read

Base64 Guide: Encoding, Decoding & Common Pitfalls

CodeToolPro Team··Updated July 12, 2026

Base64 Guide: Encoding, Decoding & Common Pitfalls

Base64 is everywhere — email attachments, PDFs in APIs, token signatures, image data: URIs, and basic auth headers all rely on it. Yet it is one of the most misunderstood encodings: developers constantly assume it is encryption, or that it makes data smaller. This guide clears that up.

Use our Base64 encoder/decoder to try every example below — it runs entirely in your browser.

What Base64 Actually Does

Base64 is a binary-to-text encoding. It takes arbitrary bytes (which may include unprintable characters) and represents them using only 64 safe ASCII characters:

A-Z a-z 0-9 + /

plus = for padding. It does not compress, and it does not encrypt.

The trick: 3 input bytes = 24 bits = four 6-bit groups, and each 6-bit group maps to one of the 64 characters. That is why Base64 output is always ~33% larger than the input:

3 bytes  →  4 Base64 characters

Why Base64 Exists

Many transports were designed for text, not binary:

  • Early email (SMTP) was 7-bit ASCII only.
  • URLs and headers cannot contain arbitrary bytes.
  • Some databases or config formats choke on NUL bytes or control characters.

Base64 lets you carry binary data safely through those text-only channels. It is a transport encoding, not a security control.

Base64 Is Not Encryption

This is the #1 confusion. Base64 is fully reversible with no key. Anyone who has the string can decode it instantly.

encoded: SGVsbG8=   →   decoded: Hello

If you need confidentiality, use AES, not Base64. Base64 often wraps encrypted bytes so they can travel as text, but the encoding itself protects nothing.

URL-Safe Base64

The standard alphabet uses + and /, which are problematic in URLs (+ means space, / is a path separator). URL-safe Base64 swaps them:

StandardURL-safe
+-
/_

Padding = is usually dropped in URL-safe variants because = is also special in query strings. Our tool has a URL-safe mode so you can paste tokens like JWT payloads directly.

Base64 vs Base58 / Base62

  • Base62 uses 0-9A-Za-z (no +, /, =) — compact and URL-friendly.
  • Base58 (used by Bitcoin) drops easily-confused chars: 0/O, I/l, and does not pad. Great for human-typed keys.

Base64 is older and more universal; Base58/Base62 optimize for copy-paste safety and shorter strings in specific ecosystems.

Common Pitfalls

  • "It will shrink my file." No — it grows by ~33%.
  • "It hides my password." No — it is encoding, not encryption.
  • Newline padding errors. Encoders that insert \n every 76 chars (MIME/PEM) break strict decoders; strip whitespace first.
  • Wrong alphabet. Decoding URL-safe text with the standard alphabet fails on - and _.
  • Character encoding mismatch. Base64 encodes bytes. Encoding the string café as UTF-8 vs Latin-1 produces different Base64. Always know your source encoding.

Code Examples

JavaScript (Browser / Node)

// Encode text
btoa("Hello");                 // "SGVsbG8="
// Decode text
atob("SGVsbG8=");              // "Hello"

// Encode UTF-8 safely (handles é, 中文, emojis)
btoa(unescape(encodeURIComponent("café")));

Python

import base64

# Encode bytes
base64.b64encode(b"Hello")            # b'SGVsbG8='
# Decode bytes
base64.b64decode(b"SGVsbG8=")          # b'Hello'

# URL-safe variant
base64.urlsafe_b64encode(b"Hello")     # b'SGVsbG8='

Note: btoa/atob work on Latin-1 bytes only. For Unicode text, encode to UTF-8 first (see the encodeURIComponent trick above).

Related Tools

When to Reach for Base64

Use it when a transport, store, or protocol expects text but you have bytes: embedding a small image in CSS, attaching a file to a JSON API, or signing a token. Do not use it to protect data, and do not use it to save space.