Base64 Encode/Decode

Base64 is a way of representing binary data using only 64 printable ASCII characters (A-Z, a-z, 0-9, plus, and slash). The reason it exists is that a lot of systems, like email protocols, JSON, URLs, and HTTP headers, were designed to handle text but not raw binary. So when you need to stuff an image into a JSON payload, embed a font in a CSS file, or send binary data through an API that only accepts strings, you Base64-encode it first. The encoding works by taking every three bytes of input and converting them into four ASCII characters, which is why Base64 output is always about 33% larger than the original. You will see it everywhere once you start looking: data URIs in HTML, SMTP email attachments, basic auth headers, and cryptographic certificates are all Base64-encoded. It is one of those fundamental building blocks of web development that most people use without thinking about.

Switch the tool to Encode mode and drop your image file directly in (PNG, JPG, SVG, GIF, or WebP). The output will be the raw Base64 string of the image bytes. To use it in HTML, wrap it in a data URI: <img src="data:image/png;base64,iVBORw0KGgo..." />. For CSS, use background-image: url('data:image/png;base64,iVBORw0KGgo...'). The MIME type prefix (image/png, image/jpeg, image/svg+xml) tells the browser how to interpret the bytes. Embedding small images this way avoids an extra HTTP request, which can speed up first paint for tiny icons under 2-3KB. For larger images, the 33% size overhead and loss of caching usually outweigh the request savings — keep external image files for anything bigger.

No, and this is a really common misconception that I see all the time. Base64 is encoding, not encryption. There is no key, no secret, no password involved. Anyone who has access to a Base64 string can decode it instantly and see the original content. It provides zero security. I have seen developers store passwords or API keys as Base64 strings thinking they were protected, and that is a serious mistake. If you look at an HTTP Basic Auth header, it says something like Basic dXNlcjpwYXNz and that looks obscure, but you can paste that string into any Base64 decoder and immediately see it says user:pass. If you need actual security, you want encryption (AES, RSA) or hashing (bcrypt, argon2). Base64 is purely a data formatting tool for making binary data safe to transmit through text-only channels. Think of it like a packaging format, not a lock.

Standard Base64 uses + and / as the last two characters, plus = for padding. Those characters have special meaning in URLs (+ becomes a space, / is a path separator), so they break when used directly in URL parameters or filenames. Base64URL replaces + with -, / with _, and drops the = padding. JWTs use Base64URL for that exact reason — the header, payload, and signature segments need to fit safely inside a URL or HTTP header. This tool handles standard Base64 by default; for JWTs, paste each segment between the dots into the decoder and it will work because most decoders accept both variants.