Skip to content
Spellkit

Base64 Isn't Encryption: What It's Actually For

Base64 turns binary data into text-safe characters so it survives systems built for text — it hides nothing and adds no security.

Base64 output looks like a secret — a dense block of jumbled letters and numbers. It's not encrypted, hashed, or compressed. It's a one-to-one, fully reversible encoding, and anyone can decode it instantly with no key. Its actual job is much more mundane: making binary data safe to carry through systems that were only ever designed for text.

The problem it actually solves

Email, JSON, URLs, and plenty of older text-based protocols were built to carry a limited set of printable characters. Raw binary data — an image file, an encryption key, a compiled font — contains arbitrary byte values, many of which those systems will corrupt, misinterpret as control characters, or reject outright. Base64 re-encodes any binary data into a string built from just 64 characters (A–Z, a–z, 0–9, +, /), which every one of those text-only systems can pass through safely.

How the encoding actually works

Base64 takes input 3 bytes (24 bits) at a time and re-slices those 24 bits into four 6-bit chunks. Each 6-bit chunk (a value 0–63) maps to one of the 64 allowed characters. That's also why the output is consistently about 33% larger than the input: 3 bytes in becomes 4 characters out, a 4:3 expansion ratio, every time — a real cost you're trading for text-safety, not a bug.

The trailing = padding exists to signal that the input length wasn't a clean multiple of 3 bytes, so the decoder knows the last group is partial rather than assuming a full 6-bit chunk.

Why it's not security

Because the alphabet is fixed and public, and there's no key involved anywhere in the process, decoding is symmetric with encoding — the exact same operation in reverse, computable by anyone, instantly, with no secret required. Storing a password as cGFzc3dvcmQ= instead of password provides zero additional protection; it just makes the value slightly harder to read at a glance, which is a UX property, not a security one.

Where it actually gets used

  • Data URIs — embedding a small image directly inside HTML/CSS (data:image/png;base64,...) instead of a separate file request.
  • Email attachments — MIME-encoded attachments have used Base64 since the 90s, because SMTP was designed for 7-bit text.
  • JWTs — the header and payload of a JSON Web Token are Base64-encoded JSON (specifically Base64URL, a URL-safe variant), which is exactly why anyone can decode and read a JWT's contents — the signature is what makes it tamper-evident, not the encoding.
  • API payloads — sending binary data (a file, an image) inside a JSON body, which can only contain text.

The variant that trips people up

Standard Base64 uses + and /, both of which are meaningful characters in a URL. Base64URL swaps those for - and _ specifically so the output can go directly into a URL or filename without needing further escaping. Decoding a Base64URL string with a standard Base64 decoder (or vice versa) fails or produces garbage — a common source of "valid-looking Base64 that won't decode" bugs.

Spellkit's Base64 tool encodes and decodes both text and files directly in your browser, so nothing you paste in is sent anywhere to be processed.