You have seen Base64 strings before: that long block of letters and numbers that looks like gibberish. They appear in JWT tokens, CSS background images, email attachments, and API responses. Here is exactly what Base64 is, why it was invented, and when you should actually use it.
What Base64 Is
Base64 is an encoding scheme that converts binary data (bytes) into a string of 64 printable ASCII characters. Those characters are A to Z, a to z, 0 to 9, plus (+), and forward slash (/), with equals (=) used for padding at the end.
Given any binary data, an image, a file, or a sequence of bytes, Base64 produces a text string that looks like this:
SGVsbG8sIFdvcmxkIQ==That decodes to "Hello, World!" — the plain text bytes represented as a Base64 string. The two equals signs at the end are padding to make the string length a multiple of four.
Why Base64 Exists
The internet was built on protocols designed for plain text. Email (SMTP), HTTP headers, and early web standards could only reliably transmit text characters. Binary data, like an image or an executable file, contains byte values that get mangled in transmission, misinterpreted as control characters, or stripped entirely by mail servers and proxies.
Base64 solves this by converting binary data into a safe text representation that travels through text-only channels without corruption. It is essentially a compatibility layer between binary data and text-based systems. The format was standardised in the early 1990s as part of the MIME email specification and has been in continuous use ever since.
Where You Will See Base64
Email attachments
When you attach a file to an email, MIME (the email format standard) encodes it as Base64 before transmitting it through email servers. The recipient's email client decodes it back to the original file automatically. You never see the Base64 string, but it is there in the raw email source.
Data URIs in HTML and CSS
You can embed small images directly in HTML or CSS without a separate file request:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUg..." />This is useful for tiny icons or critical above-the-fold images where eliminating an HTTP request matters for performance. It is also useful in emails, where external image links are often blocked by email clients and embedding the image directly guarantees it displays.
JWT tokens
JSON Web Tokens use Base64URL (a variant of Base64 that replaces + with - and / with _ to make the string safe for URLs) to encode their header and payload. When you decode the middle section of a JWT, you get a JSON object containing the user's claims, permissions, and token expiry time.
API payloads
When sending binary data such as an image or a document via a JSON API, Base64 encoding allows you to include it in a JSON string field rather than sending a separate multipart request. Many document processing APIs, OCR services, and messaging platforms accept images this way.
CSS backgrounds
Small background images or gradients are sometimes embedded directly in CSS files as Base64 data URIs to reduce the number of network requests a page makes on first load.
The Downside: Size Overhead
Base64 encoding is not free. Every 3 bytes of binary data becomes 4 characters of Base64, a roughly 33 percent size increase. A 100KB image becomes a 133KB Base64 string. Transmitted over a network, it also needs to be decoded by the receiving system, adding a small processing cost.
This is why you should not Base64-encode large files. It wastes bandwidth and memory. The sweet spot is small files under around 10KB, where the overhead is negligible and the convenience of inline embedding outweighs the cost. For anything larger, use a direct file reference or a proper file upload mechanism.
Base64 Is Encoding, Not Encryption
This is the most important thing to understand: Base64 is not security. It is trivially reversible. Anyone can decode a Base64 string in seconds using any programming language, an online tool, or even a command line. Putting a password or secret in Base64 provides absolutely no protection.
This mistake comes up regularly in security audits. A developer sees a Base64 string in a config file or an API response and assumes the data is obscured. It is not. Treat Base64 strings exactly like plain text from a security perspective.
If you need to protect data, use actual encryption (AES, RSA) or one-way hashing (bcrypt or Argon2 for passwords, SHA-256 for data integrity). Base64 is purely for format compatibility, not confidentiality.
How to Decode a Base64 String
Decoding Base64 is a common task when debugging APIs, inspecting JWT tokens, or checking what an email attachment contains. You can do it in any programming language with one function call, or use an online tool if you just need a quick result.
A few things to check when decoding fails:
- Missing padding: some systems omit the trailing = characters. If decoding fails, try adding one or two = signs to the end.
- URL-safe variant: if the string contains - or _ instead of + and /, it is Base64URL. Most decoders handle both, but not all.
- Whitespace: some Base64 strings include line breaks every 76 characters (the MIME standard). Strip whitespace before decoding if you get an error.
Encode and Decode Base64 Online
Need to quickly encode text, decode a token, or inspect a JWT payload? Do it directly in your browser with no account required.