Skip to content
ZeroServer.tools
All guides

Base64 Encoding and Decoding, Explained

June 1, 2026 · 3 min read

Base64 is one of those things every developer encounters — in data URIs, JWTs, email attachments, API payloads — but few stop to understand. This guide explains what Base64 actually is, when to use it, a common misconception that causes real security bugs, and how to encode or decode it without sending your data to a server.

What is Base64?

Base64 is a way to represent binary data using only 64 "safe" text characters (A–Z, a–z, 0–9, +, and /). It takes raw bytes and re-encodes them into a string that survives systems which only expect text.

For example, the text Hello becomes:

SGVsbG8=

That trailing = is padding — Base64 works in groups of 3 bytes, and padding fills out the last incomplete group.

When you'll actually use it

Base64 shows up whenever binary data needs to travel through a text-only channel:

  • Data URIs — embedding a small image or font directly in HTML/CSS (data:image/png;base64,...) to save a request.
  • JWTs — the header and payload are Base64URL-encoded (see our JWT guide).
  • HTTP Basic Auth — credentials are Base64-encoded in the Authorization header.
  • Email attachments — MIME uses Base64 to send files over a text protocol.
  • APIs — sending small binary blobs inside a JSON field.

Base64 is not encryption (this matters)

This is the single most important thing to understand: Base64 is encoding, not encryption. It provides zero security. Anyone can decode a Base64 string instantly — there's no key and no secret.

Treating Base64 as if it hides something is a genuine source of security bugs. If you've Base64-encoded a password, an API key, or a token and assumed it's "obscured," it isn't — it's trivially readable. Base64 is for transport, never for protection. If you need to actually protect data, you want encryption, not encoding.

How to encode and decode in your browser

  1. Open the Base64 Encoder / Decoder.
  2. Paste your text or Base64 string.
  3. Encode or decode instantly, and copy the result.

Because Base64 is often used with sensitive values (auth headers, tokens, internal config), it's worth doing the conversion locally. The Base64 tool runs entirely in your browser — your input is encoded and decoded by JavaScript on your own machine, with nothing sent to a server. For a tool that frequently touches credentials, that's the right default.

The 33% size overhead

Base64 isn't free: it represents 3 bytes of input as 4 characters of output, so the encoded version is roughly 33% larger than the original. That's why you should only inline small assets as Base64 data URIs — Base64-encoding a large image into your CSS can bloat the file and hurt performance instead of helping it.

Base64 vs. Base64URL

Standard Base64 uses + and /, which have special meaning in URLs and filenames. Base64URL is a variant that swaps them for - and _ (and usually drops the = padding) so the result is safe to drop into a URL or a JWT. If you're working with tokens or query parameters, you want the Base64URL Encoder rather than plain Base64.

Try it

Encode or decode with the free Base64 Encoder / Decoder — no signup, and nothing leaves your browser. Working with URLs or tokens? Use the Base64URL Encoder instead.