Base64 is a way of converting binary data , like the bytes of an image, a file, or any raw binary string , into a string of printable text characters. It uses 64 characters (A–Z, a–z, 0–9, +, /) to represent any binary content.

The problem it solves: many transmission systems , HTTP headers, email (MIME), JSON payloads , are designed for text and don't handle raw binary reliably. Base64 lets you take any binary content and represent it as a plain text string that travels safely through any text-based system without getting garbled.

More places than most developers realize:

• Data URIs , embedding images directly in HTML or CSS (src="data:image/png;base64,iVBOR...") to eliminate extra HTTP requests
• HTTP Basic Auth , credentials are sent as Base64 in the Authorization: Basic header (encoding only, no security)
• JWT tokens , JSON Web Tokens are three Base64-encoded sections separated by dots
• Email attachments , the MIME standard encodes file attachments as Base64 for email transmission
• REST API payloads , sending file content through JSON APIs that only accept string values
• SSL certificates and SSH keys , PEM-format certificates are Base64-encoded

Standard Base64 uses + and / , both of which have special meanings in URLs. The + is treated as a space in query strings, and / is a path separator. This causes problems when Base64 strings appear in URLs.

URL-safe Base64 fixes this by replacing + with - and / with _, creating a string safe for URLs without any percent-encoding. JWT tokens use URL-safe Base64, which is why you see hyphens and underscores in the encoded sections.

A JWT consists of three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

• Part 1 (header) , decodes to a JSON object with the algorithm: {"alg": "HS256", "typ": "JWT"}
• Part 2 (payload) , decodes to the claims: user ID, roles, expiration time, etc.
• Part 3 (signature) , a cryptographic hash that verifies the token hasn't been tampered with (you need the secret key to verify this part)

A Base64 tool with JWT mode decodes the first two parts into readable JSON instantly , great for debugging auth issues without firing up a REPL.

Beyond text, Base64 is often used to encode entire files , most commonly images for embedding in HTML/CSS:

1. Upload the file to the encoder
2. Select the output format , standard or URL-safe Base64
3. Copy the result , for an image, it looks like data:image/png;base64,iVBOR...
4. Use it in HTML/CSS as a src attribute or background-image: url(...) value

This is useful for small icons or images you want bundled directly with the page, avoiding an extra network request. For larger images, regular file hosting is more practical.

This is a critical point. Base64 is encoding, not encryption. The encoding alphabet is public. Anyone who receives a Base64 string can decode it immediately , no key, no password needed. It provides zero confidentiality.

Never use Base64 to protect sensitive data like passwords, API keys, or personal information. For actual security, use proper encryption: AES-256 for symmetric, RSA for asymmetric, TLS for data in transit. Base64's only job is making binary data safe for text-based transport.