Guide
Base64 Encoding Is Not Encryption
Base64 is a reversible encoding format, not a security boundary. This guide explains safe and unsafe uses.
Related tools
What Base64 does
Base64 converts bytes into text characters that are convenient to store or transmit in systems that expect text. It is often used in data URIs, MIME email content, simple config values, and token formats.
Encoding is reversible by design. Anyone with the Base64 text can decode it back to the original bytes if they know the content format.
Why Base64 is not a security feature
Base64 does not use a secret key and does not hide data from someone who can see the encoded value. It may look unreadable at a glance, but it is not protected.
Putting an API key, password, or private payload in Base64 does not make it safe to publish, log, commit, or paste into untrusted systems.
Encoding, hashing, and encryption
- Encoding changes representation and is meant to be reversed.
- Hashing creates a one-way digest for comparison or integrity workflows.
- Encryption protects data with a key so authorized parties can decrypt it.
Legitimate uses
Base64 is useful when a text-only field needs to carry bytes or Unicode text. It is a format tool, not a trust tool. Use it for compatibility, not secrecy.
FAQ
Can Base64 contain sensitive data?
Yes. Treat Base64 text as sensitive if the original data was sensitive.
Is JWT payload data encrypted because it uses Base64URL?
No. Standard JWT header and payload sections are usually just Base64URL-encoded JSON, not encrypted.