楊東霖

Posted on Mar 25 • Originally published at devplaybook.cc

Base64 Encode Decode Online: Complete Developer Guide

#webdev #programming #productivity #devtools

Base64 encoding comes up constantly in development—in authentication headers, data URIs, file uploads, email attachments, configuration files, and API responses. Most developers use it regularly but don't always understand what it's doing or why.

This guide covers how Base64 works, when to use it, the variants you'll encounter, and how to encode/decode efficiently in the browser and in code.

For immediate encoding or decoding: use the DevPlaybook Base64 encoder/decoder—browser-based, handles text and files, supports URL-safe mode, nothing sent to a server.

What Base64 Is (and What It Isn't)

Base64 is an encoding scheme, not encryption. This is the most important thing to understand about it.

Base64 converts binary data (or any byte sequence) into a string of 64 printable ASCII characters: A-Z, a-z, 0-9, +, and /. The output is longer than the input (roughly 33% larger), but it can be safely transmitted through systems that only handle text.

Base64 is not:

Encryption (it's trivially reversible)
Compression (it makes data larger)
A security measure (anyone can decode it)

Base64 is:

A way to represent binary data as ASCII text
A way to include data in contexts that require text (JSON, HTML, URLs, email)
A way to safely transmit data through systems that might corrupt binary bytes

Why Base64 Exists

Early internet protocols—SMTP (email), MIME, and many HTTP implementations—were designed for 7-bit ASCII text. Binary data (images, files, arbitrary bytes) contained byte values that these protocols would interpret as control characters or simply couldn't transmit.

Base64 solved this by mapping every 3 bytes of input to 4 printable ASCII characters. Since every character in the Base64 alphabet is a printable ASCII character (value 0-127), the encoded output passes safely through text-only systems.

Today, the original constraint (7-bit ASCII only systems) is largely obsolete. But Base64 persists because:

JSON doesn't support binary: to embed binary data in a JSON field, you Base64-encode it
HTML data URIs: embedding images directly in HTML/CSS
Basic Auth: HTTP Basic Authentication uses Base64-encoded credentials
JWTs: JSON Web Tokens use Base64url-encoded payloads
Public key cryptography: PEM files (SSL certificates, SSH keys) are Base64-encoded

How Base64 Encoding Works

The algorithm is simple:

Take 3 bytes of input (24 bits)
Split into 4 groups of 6 bits
Map each 6-bit group to a Base64 character (0-63 maps to the 64-character alphabet)

Input bytes:    M       a       n
Binary:         01001101 01100001 01101110
                └──────────────────────┘
                    24 bits total

Split to 4×6:   010011  010110  000101  101110
Decimal:        19      22      5       46
Base64:         T       W       F       u

Output:         TWFu

If the input isn't a multiple of 3 bytes, padding characters (=) are added to make the output a multiple of 4 characters:

Input: "Man"    (3 bytes) → "TWFu"     (no padding)
Input: "Ma"     (2 bytes) → "TWE="     (1 padding char)
Input: "M"      (1 byte)  → "TQ=="     (2 padding chars)

Standard Base64 vs URL-Safe Base64

The standard Base64 alphabet uses + and / as the 62nd and 63rd characters. These are special characters in URLs—+ means a space in URL-encoded strings, and / is a path separator.

For contexts where the encoded data appears in a URL (query parameter, path segment), use Base64url (URL-safe Base64):

Character	Standard Base64	Base64url
Index 62	`+`	`-`
Index 63	`/`	`_`
Padding	`=`	Often omitted

When to use Base64url:

JWT tokens (they use Base64url for header and payload)
URL parameters
File names
Any context where the encoded string appears in a URL

When to use standard Base64:

Email MIME encoding
HTTP Basic Auth
PEM certificates/keys
Data URIs in HTML/CSS

The Base64 encoder/decoder supports both modes—switch between them with one click.

Base64 in Authentication

HTTP Basic Authentication

Basic Auth transmits credentials as Base64-encoded username:password. The Authorization header looks like:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Decode that: dXNlcm5hbWU6cGFzc3dvcmQ= → username:password

Important: This is not secure over HTTP. The credentials are only Base64-encoded, not encrypted. Basic Auth requires HTTPS to be safe.

To decode a Basic Auth header manually:

Take everything after "Basic "
Base64 decode it
Split on the first : — everything before is the username, everything after is the password

The Base64 decoder does this in seconds.

JWT Tokens

A JWT is three Base64url-encoded sections separated by periods:

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.signature
    header              payload                   signature

Decode the middle section (payload) to see the claims:

eyJzdWIiOiJ1c2VyMTIzIn0
→ {"sub":"user123"}

The JWT decoder does this automatically and formats the output—but understanding that it's just Base64url under the hood helps when you're debugging.

Base64 in Data URIs

Data URIs embed file content directly in HTML or CSS, eliminating HTTP requests. They're useful for small images, icons, and inline fonts.

<!-- External image (HTTP request required) -->
<img src="/images/icon.png">

<!-- Inline data URI (no HTTP request) -->
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...">

The format is: data:[mimetype];base64,[base64-encoded-data]

For CSS:

.icon {
  background-image: url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDo...");
}

When to use data URIs:

Small images (under ~5KB) that are used on almost every page
Critical above-the-fold images
SVG icons that appear frequently

When not to use data URIs:

Large images (significantly increase page size)
Images used on only a few pages (can't be cached separately)
Modern HTTP/2 environments where parallel requests are efficient

Base64 in Configuration and Secrets

Base64 is commonly used to encode binary secrets (like HMAC keys or certificates) for storage in configuration files or environment variables.

# Store a binary secret in an env var
export APP_SECRET=$(openssl rand -base64 32)

# Store a certificate chain in an env var
export SSL_CERT=$(cat certificate.pem | base64)

Do not mistake this for security. A Base64-encoded secret is just as sensitive as the raw secret—anyone with the encoded value can decode it immediately. The encoding is only for representation, not protection.

For actual secret management, use:

Environment variable injection from secrets manager (AWS Secrets Manager, HashiCorp Vault)
Kubernetes secrets (which Base64-encode for YAML representation, but protect via RBAC)
CI/CD secret stores (GitHub Actions secrets, etc.)

Encoding and Decoding in Code

JavaScript (Browser and Node.js)

Text encoding/decoding:

// Encode text to Base64
const encoded = btoa("Hello, World!");
console.log(encoded); // "SGVsbG8sIFdvcmxkIQ=="

// Decode Base64 to text
const decoded = atob("SGVsbG8sIFdvcmxkIQ==");
console.log(decoded); // "Hello, World!"

Unicode strings (requires additional handling):

// For non-ASCII strings, encode as UTF-8 first
function encodeUnicode(str) {
  return btoa(unescape(encodeURIComponent(str)));
}

function decodeUnicode(str) {
  return decodeURIComponent(escape(atob(str)));
}

encodeUnicode("こんにちは"); // "44GT44KT44Gr44Gh44Gv"
decodeUnicode("44GT44KT44Gr44Gh44Gv"); // "こんにちは"

Binary data in Node.js:

// Encode binary data
const buffer = Buffer.from([0xFF, 0x00, 0x41]);
const encoded = buffer.toString("base64");
console.log(encoded); // "/wBB"

// Decode Base64 to buffer
const decoded = Buffer.from("/wBB", "base64");
console.log(decoded); // <Buffer ff 00 41>

// File to Base64
const fs = require("fs");
const fileData = fs.readFileSync("image.png");
const base64Image = fileData.toString("base64");

// Base64 URL-safe (no + or /)
const urlSafe = buffer.toString("base64url");

Python

import base64

# Encode
text = "Hello, World!"
encoded = base64.b64encode(text.encode("utf-8"))
print(encoded)  # b'SGVsbG8sIFdvcmxkIQ=='

# Decode
decoded = base64.b64decode(encoded).decode("utf-8")
print(decoded)  # Hello, World!

# URL-safe variant
url_safe = base64.urlsafe_b64encode(b"\xff\x00\x01")
print(url_safe)  # b'_wAB'

standard = base64.b64encode(b"\xff\x00\x01")
print(standard)  # b'/wAB'

# Encode a file
with open("image.png", "rb") as f:
    encoded = base64.b64encode(f.read())

Go

import "encoding/base64"

// Standard encoding
encoded := base64.StdEncoding.EncodeToString([]byte("Hello"))
decoded, err := base64.StdEncoding.DecodeString(encoded)

// URL-safe encoding
urlEncoded := base64.URLEncoding.EncodeToString([]byte{0xFF, 0x00})

// Without padding (common for JWTs)
rawEncoded := base64.RawStdEncoding.EncodeToString([]byte("Hello"))

Bash

# Encode
echo -n "Hello, World!" | base64
# SGVsbG8sIFdvcmxkIQ==

# Decode
echo "SGVsbG8sIFdvcmxkIQ==" | base64 --decode
# Hello, World!

# Encode a file
base64 < image.png > image.b64

# Decode a file
base64 --decode < image.b64 > image.png

# macOS uses -D instead of --decode
echo "SGVsbG8sIFdvcmxkIQ==" | base64 -D

Padding Issues

Padding (= characters) is technically required per the Base64 specification but many implementations omit it in URL contexts (JWT, URL parameters).

If you get a "invalid padding" error when decoding:

import base64

def safe_b64decode(data):
    """Add padding if necessary"""
    padding = 4 - len(data) % 4
    if padding != 4:
        data += "=" * padding
    return base64.b64decode(data)

In JavaScript:

function safeBase64Decode(str) {
  // Normalize URL-safe Base64 to standard
  str = str.replace(/-/g, "+").replace(/_/g, "/");
  // Add padding
  while (str.length % 4) {
    str += "=";
  }
  return atob(str);
}

Debugging Base64 Issues

"The output looks garbled": You may be decoding binary data as text. If the original data wasn't UTF-8 text, decoding to a string will produce garbage. Handle as bytes.

"Invalid character in Base64": The input contains a character not in the Base64 alphabet (spaces, newlines, URL-encoded characters). Strip whitespace and check for URL-encoding before decoding.

"Incorrect padding": Missing = padding. Use the safe decode functions above.

"Using wrong variant": If you encoded with URL-safe Base64 (- and _), you must decode with URL-safe Base64. Standard decoders will fail on these characters.

Use the DevPlaybook Base64 encoder/decoder to quickly verify encoded/decoded values and identify where the issue is.

Security Notes

Base64 ≠ encryption: Never use Base64 to protect sensitive data. Decode it before storing credentials as Base64-encoded.
Don't log Base64-encoded secrets: Encoded secrets are still secrets.
Validate decoded output: Before processing Base64-decoded data, validate it. Malformed Base64 input can produce unexpected byte sequences.
Be aware of content type: When decoding Base64 content from user input, validate what the decoded content actually is before processing it further—especially if writing to disk or passing to other systems.

Quick Reference

Standard alphabet:  A-Z a-z 0-9 + /
URL-safe alphabet:  A-Z a-z 0-9 - _
Padding character:  =

Size increase:      ceil(n/3) × 4 bytes (≈33% larger)
Padding:            = or == when input not divisible by 3

Use standard when:  HTTP headers, MIME, certificates, JSON
Use URL-safe when:  JWTs, URL params, file names

JavaScript:    btoa() / atob() for text
               Buffer.toString("base64") for binary (Node.js)
Python:        base64.b64encode() / b64decode()
               base64.urlsafe_b64encode() for URL-safe
Go:            base64.StdEncoding / base64.URLEncoding
Bash:          base64 / base64 --decode

Encode or decode any Base64 value instantly in the browser at DevPlaybook Base64 encoder/decoder. Handles text, binary files, URL-safe mode, and does not send your data anywhere.

Level Up Your Dev Workflow

Found this useful? Explore DevPlaybook — cheat sheets, tool comparisons, and hands-on guides for modern developers.

🛒 Get the DevToolkit Starter Kit on Gumroad — 40+ browser-based dev tools, source code + deployment guide included.

DEV Community