Encoding
Translation into a safe alphabet — not a secret.
What it does
Base64 takes arbitrary bytes and rewrites them using 64 characters that are safe to put almost anywhere: A–Z, a–z, 0–9, +, and /. Every 3 bytes in become 4 of those characters out. No key, nothing hidden — it's a reversible translation, and anyone can run it backward.
Why it exists
Plenty of systems were built for text, not raw binary. Email headers, URLs, JSON — they choke on control characters, newlines, anything non-printable. Base64 launders those bytes into characters that survive the trip: embedding an image in a data URL, attaching a file to an email, stuffing a token into a URL.
The cost is size. Three bytes become four characters, so output grows by about 33%. The trailing = signs are padding, added so the length lands on a multiple of four.
The bit math
Here's the whole trick on three bytes. The same 24 bits get sliced into bytes one way and into base64 groups another — the boundaries don't line up, and that's the point.
in · 3 bytes
24 bits, two groupings
out · 4 characters
“Sun” → U3Vu. Twenty-four bits don't care how you slice them — 3×8 going in, 4×6 coming out. That 3-to-4 ratio is the whole +33% size cost.
Run it
Type something and watch it encode, then decode straight back with no key. Accented characters take more than one byte, so the counts drift apart.
bmHDr3ZlIGNhZsOp
naïve café
- input bytes
- 12
- base64 chars
- 16
- = padding
- none
It looks encrypted. It isn't.
This is the common mistake. Base64 output looks scrambled, so people assume it's protected. There's no key and no secret — atob() reverses it in one step. Base64 a password and ship it, and you've shipped the password. For secrecy you want encryption.
Decode anything
Paste any Base64 string and read it back. No key required — proof of the point above.
We Ride for Gondor
No key, no password, no permission — anyone with the string gets the text back. That's the point, and the reason it isn't security.