Base64 Encoder / Decoder

Understanding Base64 Encoding

Base64 is a binary-to-text encoding scheme that represents binary data using 64 ASCII characters (A-Z, a-z, 0-9, +, /). It was originally designed for email attachments (MIME standard) but is now fundamental to web development. Base64 output is always approximately 33% larger than the original input because every 3 bytes of binary data become 4 characters of Base64 text.

Common Use Cases for Developers

• Data URIs — Embed small images, fonts, or SVGs directly in HTML/CSS with data:image/png;base64,... to reduce HTTP requests.
• HTTP Basic Auth — The Authorization: Basic header encodes username:password as Base64.
• JWT tokens — JWT header and payload sections are Base64url-encoded JSON objects.
• Binary in JSON — Since JSON cannot carry raw binary data, files and buffers are Base64-encoded for API transport.
• Email attachments — SMTP only supports 7-bit ASCII, so all attachments use Base64 (MIME).

Base64 vs Other Encoding Methods

Base64 vs Hex: Hex encoding is simpler (each byte = 2 hex chars) but 100% larger, while Base64 is only 33% larger. Base64 vs Base64url: Standard Base64 uses + and /, which conflict with URL syntax. Base64url replaces them with - and _, commonly used in JWTs and URL parameters. Base64 vs ASCII85: ASCII85 (used in PDF) produces smaller output (~25% overhead) but is less widely supported.

Frequently Asked Questions

Is Base64 encryption? No. Base64 is encoding, not encryption. It provides zero security — anyone can decode a Base64 string instantly. Never use it to hide sensitive data like passwords or API keys.

Why is my Base64 output larger? By design, 3 input bytes become 4 output characters. A 1 MB file becomes ~1.33 MB in Base64. For large files, consider compression (gzip) before encoding.

Base64 in Different Languages

JavaScript (Browser): btoa() encodes to Base64 and atob() decodes, but they only handle Latin-1 characters. For Unicode support (like this tool provides), use TextEncoder/TextDecoder with Uint8Array conversion. Node.js: Buffer.from(str).toString('base64') for encoding, Buffer.from(b64, 'base64').toString() for decoding. Python: base64.b64encode() and base64.b64decode() from the standard library. Java: Base64.getEncoder().encodeToString() (Java 8+). Command line: echo -n "text" | base64 on macOS/Linux, or openssl base64.

Unicode and Base64: A Common Gotcha

The most frequent Base64 bug in JavaScript is trying to encode Unicode text with btoa(). Since btoa() only accepts Latin-1 characters, calling btoa('Hello 안녕') throws a DOMException. The solution is to first encode the string to UTF-8 bytes, then Base64-encode those bytes. This tool handles Unicode correctly using the TextEncoder API, which converts any JavaScript string to UTF-8 bytes before Base64 encoding. When decoding, the reverse process applies: Base64-decode to bytes, then TextDecoder converts UTF-8 bytes back to a string. This ensures round-trip correctness for any language including emoji, CJK characters, and RTL scripts.

Base64 in Different Languages

Base64 encoding functions exist in every language but use different APIs. JavaScript (browser): btoa() encodes ASCII strings; for Unicode, use btoa(unescape(encodeURIComponent(str))) or the TextEncoder API. Node.js: Buffer.from(str).toString('base64'). Python: base64.b64encode(bytes) and base64.b64decode(). Go: encoding/base64 package with StdEncoding and URLEncoding variants. Java: java.util.Base64.getEncoder().encodeToString(bytes). This tool uses the browser’s native btoa()/atob() with a UTF-8 encoding wrapper to correctly handle all Unicode characters including emojis and non-Latin scripts.

Base64 and Content Security

Base64-encoded data URIs interact with Content Security Policy (CSP) in important ways. By default, data: URIs are blocked by CSP unless explicitly allowed with img-src data: or font-src data: directives. This is a security measure because data: URIs can be used for XSS attacks via script-src data:. When using Base64 for inline images or fonts in production, add the specific CSP directive for the resource type while keeping script-src restrictive. For API payloads, always validate and sanitize Base64-decoded content before processing — never assume Base64 data is safe simply because it was encoded.