What is URL-safe Base64 and when should I use it?

URL-safe Base64 replaces + and / with - and _ so the encoded string is safe in URLs, cookies, and JWT tokens without percent-encoding.

Why does Base64 end with == padding?

Base64 encodes 3 bytes into 4 characters. Padding characters (=) are added when the input length is not divisible by 3.

How do I Base64 encode and decode in PHP?

Use base64_encode($string) to encode and base64_decode($encoded) to decode. In JavaScript, btoa() encodes and atob() decodes.

Base64 Encode / Decode - Free Developer Tools

What is Base64 Encoding?

Base64 is an encoding scheme that converts binary data to a string of 64 printable ASCII characters (A–Z, a–z, 0–9, +, /). It is not encryption - anyone can decode it. The purpose of Base64 is to safely transmit binary data (images, files, arbitrary bytes) over channels that only support text, such as email, JSON payloads, XML, and HTML attributes. This free online Base64 encoder and decoder handles text, files, and images, with a URL-safe variant that replaces + and / with - and _ for safe use in URLs and cookies.

Common uses for Base64 encoding

Base64 appears throughout web development: data URIs embed images directly in HTML/CSS (src="data:image/png;base64,..."), eliminating an HTTP request. HTTP Basic Authentication encodes username:password as Base64 in the Authorization: Basic ... header - note this is not secure without HTTPS. JWT tokens use Base64url-encoded header and payload sections. SSH keys and TLS certificates (PEM format) are Base64-encoded DER data. Laravel's APP_KEY is a Base64-encoded 32-byte key.

Frequently Asked Questions

Is Base64 the same as encryption?

No. Base64 is an encoding scheme, not encryption. It converts binary to text using a fixed algorithm with no key. Anyone can decode a Base64 string without any secret. Use proper encryption (AES-256, RSA) if you need to protect data. Base64 only ensures binary data survives transport through text-only systems.

What is URL-safe Base64 and when do I use it?

Standard Base64 uses + and /, which have special meaning in URLs. URL-safe Base64 replaces them with - and _, making the encoded string safe to use in URL query parameters, cookie values, and JWT tokens without percent-encoding. In PHP: base64_encode() uses standard; strtr(base64_encode($data), '+/', '-_') gives URL-safe.

Why does Base64 output end with == or =?

Base64 encodes 3 bytes into 4 characters. If the input length is not a multiple of 3, padding characters (=) are added to make the output length a multiple of 4. One padding = means the last group had 2 bytes; two == means 1 byte. URL-safe Base64 often omits padding since the length can be inferred.

How do I encode and decode Base64 in PHP?

base64_encode($string) encodes, base64_decode($encoded) decodes. In Laravel, Crypt::encryptString() uses Base64 internally after AES encryption. For file contents: base64_encode(file_get_contents($path)). In JavaScript: btoa(string) encodes and atob(encoded) decodes.

Base64 Encode / Decode