Base64 in one sentence
Base64 is a binary-to-text encoding: it represents arbitrary bytes using a text alphabet of 64 characters. It is useful when data must pass through systems that expect text, such as JSON, email, HTTP headers, Data URIs, and some tokens.
It is not encryption. A Base64 string can be decoded without a password, so it should never be used as a way to protect secrets.
How to recognize a Base64 candidate
Standard Base64 uses uppercase letters, lowercase letters, digits, +, /, and optional = padding. The encoded text is usually arranged in groups whose length is a multiple of four, ignoring line breaks and spaces.
A URL-safe variant, Base64URL, often uses - and _ instead of + and /. Appearance is only a clue: the reliable test is to decode it and inspect the result.
Decode it in a safe order
First keep a copy of the original string. Remove harmless whitespace, check that the alphabet and padding look valid, then decode to bytes. After that, interpret those bytes as UTF-8 text, JSON, an image, a certificate, compressed data, or another format.
If the decoded output is unreadable, it may still be valid Base64. It might represent binary data, compressed bytes, or encrypted content that needs a separate step.
What happens inside the encoding
Base64 groups input bytes in threes. Those 24 bits are split into four 6-bit values, and each value selects one character from the Base64 alphabet. The word Man becomes TWFu.
For a checked text example, Hello, Morse! encodes to SGVsbG8sIE1vcnNlIQ== and decodes back to the same UTF-8 text.
Padding and Unicode
When the input length is not divisible by three, Base64 adds padding. One leftover byte produces two = characters; two leftover bytes produce one =. Padding tells the decoder how many bytes to recover from the final group.
Base64 encodes bytes, not abstract characters. Text such as Café ☕ must first be converted to UTF-8 bytes; those bytes encode as Q2Fmw6kg4piV.
Common uses and security limits
Base64 is common in APIs, JSON fields, email attachments, Basic Auth headers, JWT parts, Data URI images, certificates, and configuration files. In each case, it solves a transport problem: making bytes safe for text-only channels.
Do not call Base64 “decryption,” and do not store passwords, API keys, or personal data merely Base64-encoded. If confidentiality matters, use real encryption before any transport encoding.