Base64 Encoding: When to Use It (and When You Absolutely Should Not)
Base64 appears in JWT tokens, email attachments, data: URLs, API responses, and configuration files. It is so common that many developers treat it as a security feature — which it absolutely is not.
Base64 is an encoding scheme, not encryption. It transforms binary data into printable ASCII text. Anyone can decode it in one line of code. Understanding when Base64 helps — and when it creates a false sense of security — is essential for building secure applications.
This guide covers the practical use cases, the mistakes to avoid, and how to work with Base64 safely in your projects.
What Base64 actually does
Computers store data as bytes. Many transport formats — JSON, XML, email, URLs — work best with text. Base64 solves a simple problem: how do you represent arbitrary binary data using only safe printable characters?
It takes every 3 bytes of input and represents them as 4 ASCII characters from a 64-character alphabet (A–Z, a–z, 0–9, +, /). The output is roughly 33% larger than the original data.
Hello → SGVsbG8=
That = at the end is padding. Decoding SGVsbG8= always gives you back Hello. The transformation is fully reversible and requires no key.
This is fundamentally different from AES encryption, which requires a secret key and produces output that cannot be reversed without it.
When you SHOULD use Base64
1. Embedding binary data in JSON or XML
JSON cannot natively represent raw bytes. APIs often return images, PDFs, or certificates as Base64 strings:
{
"filename": "report.pdf",
"content": "JVBERi0xLjQKJcfsj6IKNSAwIG9iago8PC9MZW5ndGggNiAwIFI..."
}
The receiver decodes the string back to bytes and saves or processes the file.
2. Data URLs in HTML and CSS
Inline images use Base64 to avoid a separate HTTP request:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAAB..." />
This is a convenience optimization, not a security measure.
3. Email attachments (MIME)
Email systems were designed for 7-bit ASCII text. MIME encodes binary attachments as Base64 so they survive transit through legacy mail servers.
4. Storing small binary blobs in text-only systems
Sometimes you need to put a certificate, icon, or encryption IV into an environment variable, .env file, or database text column. Base64 makes that possible:
ENCRYPTION_IV=dGhpcyBpcyBhbiBJViAxMg==
5. JWT structure (as part of the format)
A JWT has three Base64url-encoded segments separated by dots: header.payload.signature. The encoding makes the token URL-safe. The security comes from the cryptographic signature in the third segment, not from the encoding of the first two. Use our JWT debugger to inspect tokens — you will see the payload is readable by anyone.
6. Transmitting data before encryption
A valid pattern: encode binary → encrypt the result. Base64 prepares data for text-based encryption tools. Cipherly's workflow lets you encode to Base64 and then encrypt with AES entirely in your browser.
When you should NOT use Base64
❌ "Hiding" passwords or API keys
// This is NOT security
const apiKey = Buffer.from('sk-live-secret-key-123').toString('base64');
Anyone who sees c2stbGl2ZS1zZWNyZXQta2V5LTEyMw== can decode it instantly. If you need to protect secrets at rest, use proper encryption or a secrets manager (AWS Secrets Manager, HashiCorp Vault, etc.).
❌ Obfuscating license keys or serial numbers
Base64 obfuscation is security through obscurity. Determined users decode it in seconds. Use cryptographic signing or online license validation instead.
❌ Replacing hashing for passwords
Base64 encodes. It does not slow down attackers. Passwords need Bcrypt or Argon2 — one-way functions designed to be computationally expensive.
❌ Compressing data
Base64 increases size by ~33%. For compression, use gzip, Brotli, or zstd. Never Base64-encode data hoping to make it smaller.
❌ URL parameters without Base64url
Standard Base64 uses + and /, which break in URLs. If you need URL-safe encoding, use Base64url (replaces + with - and / with _, often drops padding). JWTs use this variant.
Base64 vs Base64url vs Hex
| Format | Characters | URL-safe | Size overhead |
|---|---|---|---|
| Base64 | A-Za-z0-9+/= | No | ~33% |
| Base64url | A-Za-z0-9-_ | Yes | ~33% |
| Hex | 0-9a-f | Yes | 100% (doubles size) |
Hex encoding is simpler but twice as large. Use hex for short values like key fingerprints; use Base64 for larger binary blobs.
How to encode and decode in Node.js
// Standard Base64
const encoded = Buffer.from('Hello, Cipherly!').toString('base64');
const decoded = Buffer.from(encoded, 'base64').toString('utf8');
// Base64url (URL-safe)
const urlEncoded = Buffer.from('Hello, Cipherly!')
.toString('base64url');
console.log(encoded); // SGVsbG8sIENpcGhlcmx5IQ==
console.log(urlEncoded); // SGVsbG8sIENpcGhlcmx5IQ
In the browser, the Web API provides btoa() and atob() for strings, but they struggle with Unicode. For production code handling arbitrary bytes, use TextEncoder/TextDecoder with Uint8Array, or a well-tested library.
A safe workflow for sensitive data
If you need to move sensitive binary data through a text-based system:
- Encrypt first with AES-256-GCM using a strong key.
- Then Base64-encode the ciphertext for storage or transport.
- To reverse: Base64-decode → decrypt with the key.
The Base64 step is just formatting. The AES step provides the actual protection.
Never reverse this order. Base64-encoding plaintext and then encrypting the Base64 string works but is non-standard and can introduce unnecessary length expansion before encryption.
Testing and debugging Base64
During development you will constantly decode API responses, inspect JWT payloads, or convert test fixtures. Cipherly's Base64 tool handles text and file encoding entirely in your browser — useful when you are working with sample certificates or API keys you do not want to send to a random online converter.
For hashing file integrity (not encoding), use a hash generator instead. Base64 answers "how do I represent bytes as text?" Hashing answers "has this data changed?"
Common mistakes developers make
- Calling Base64 "encryption" in documentation or UI — it confuses your team and your users.
- Double-encoding — encoding already-encoded data because of a pipeline bug.
- Wrong charset assumptions —
atobon UTF-8 strings with multi-byte characters produces garbled output. - Ignoring padding — some decoders require
=padding; Base64url often omits it. - Storing large files as Base64 in databases — a 10 MB file becomes ~13 MB of text. Store binary in blob columns or object storage instead.
The bottom line
Base64 is a transport and representation format — nothing more. Use it when you need to move binary data through text-only channels. Never use it when you need confidentiality, integrity, or authentication.
For confidentiality, use AES. For integrity, use HMAC. For passwords, use Bcrypt. Base64 is the envelope, not the lock.
Next read: Understanding Base64 Encoding: What It Is and Why We Use It
Try it yourself
Put what you learned into practice with Cipherly's free browser-based tool.
Try the Base64 ToolCipherly Security Team
The Cipherly Security Team consists of passionate web developers and cryptography enthusiasts dedicated to making privacy and security accessible to everyone. We believe in open standards, zero-knowledge architecture, and education.