Open a JWT token, an embedded image in a CSS file, or an old email attachment and you'll find a long block of text that looks deliberately scrambled — something like SGVsbG8gd29ybGQh. It looks like a secret. It is not a secret. That block decodes to "Hello world!" in about one second, and understanding why clears up one of the most common mix-ups in casual tech conversation.
The misconception
Because Base64 output looks unreadable, people regularly assume it's a form of encryption or hashing — something that protects data. It isn't either of those things. Base64 is encoding, not encryption. The difference matters: encryption transforms data using a secret key so that only someone with that key can reverse it. Base64 uses no key at all. It's a fully public, fully reversible, one-to-one transformation — anyone, including any website's browser console, can decode it instantly with zero special access.
So what is it actually for?
Base64 solves a much more boring problem: some systems were only ever designed to carry plain text safely, not raw binary data or unusual characters. Email, for instance, was built for text — sending a raw image file through some older mail systems could corrupt it. Base64 re-packages that binary data into a safe alphabet of 64 characters (A–Z, a–z, 0–9, plus two symbols) that any text-only system can carry without choking on it.
That's the actual job: not secrecy, just safe transport through systems that don't understand anything except plain text.
Where you've already run into it
- Email attachments: Older email protocols encode binary files like images and PDFs as Base64 so they survive transport through text-based mail servers.
- Data URLs in CSS or HTML: A small image can be embedded directly into a stylesheet as Base64 text, avoiding an extra file request — common for tiny icons and background images.
- API tokens and JWTs: The middle section of a JSON Web Token is Base64-encoded JSON, not encrypted JSON. Anyone can decode it and read the contents; the security comes from a separate cryptographic signature, not from the encoding.
- Config files and URLs: Some systems Base64-encode values to avoid clashing with characters that have special meaning, like slashes or spaces.
The takeaway for anyone storing something sensitive
If you ever see "we Base64-encoded your password" or "your data is Base64-protected," that is not a security claim — it's the equivalent of writing something in a different alphabet that anyone can look up. Real protection comes from encryption (which needs a key) or hashing (which is one-way and can't be reversed at all). Base64 is neither. It's just a translator between binary data and plain text, nothing more.
Try it yourself
Our Base64 Encoder & Decoder converts text in both directions instantly, right in your browser — useful for inspecting a token, decoding a data URL, or just confirming for yourself how reversible it really is.