All posts
April 14, 20264 min read

Base64 is not encryption: what it is and when to use it

Every few months a security incident traces back to the same misunderstanding: someone "protected" data by Base64 encoding it. Base64 is not protection. Anyone can decode it instantly, with no key, no password, and no effort.

What Base64 actually does

Base64 represents binary data using 64 printable characters: letters, digits, + and /. That is the whole job. It exists because many systems, including email, JSON, and HTTP headers, can only carry text safely. Base64 lets arbitrary bytes travel through them without corruption.

Encoding makes data compatible, not secret. The transformation is public, standardized, and reversible by design. Decoding requires no key, just running the algorithm backwards.

Where you meet it

  • HTTP Basic auth: the Authorization: Basic ... header is username:password in Base64. This is why Basic auth without HTTPS is equivalent to sending passwords in plain text.
  • JWTs: each of the three segments is base64url encoded JSON. Anyone holding a token can read its claims.
  • Data URIs: small images embedded directly in CSS or HTML as data:image/png;base64,....
  • Email attachments: every attachment you have ever sent traveled as Base64 text.
  • API payloads: binary data (images, files, certificates) inside JSON has to be Base64, since JSON cannot carry raw bytes.

The mistakes to avoid

Storing passwords as Base64. This is storing them in plain text with one extra step. Passwords need a real password hash: bcrypt, scrypt, or argon2.

"Obfuscating" API keys in client code. Decoding takes one line. If a secret ships to the browser or a mobile app, it is public, encoded or not.

Confusing it with hashing. Hashes (SHA-256 and friends) are one way: you cannot get the input back. Base64 is two way by definition. They solve different problems and are not interchangeable.

The rule is simple: use Base64 when a system needs text instead of bytes. Use encryption when something must stay secret. Try both directions of the conversion with the Base64 Encode / Decode tool, which handles UTF-8 and the URL safe variant used in JWTs.