Base64 in API Security: Encoding Credentials, Tokens and Secrets
Learn how Base64 encoding fits into your API security workflow. Encode credentials for Basic Auth, decode API responses, and handle binary data safely in HTTP requests.
The Problem
You're integrating with a third-party API that uses HTTP Basic Authentication. The docs say to send credentials as Base64-encoded strings in the Authorization header, but you're not sure if your encoding is correct — the API keeps returning 401. Or you're receiving a binary payload in a JSON response as a Base64 string and need to inspect its contents. Base64 encoding and decoding is everywhere in API security, but the encoding rules are easy to get wrong.
Why This Matters
Base64 is the universal encoding for binary data in text-based protocols (HTTP, JSON, JWT). Every developer working with APIs encounters it daily: Basic Auth headers, JWT token components, binary file uploads in JSON, SSH keys in API requests, and email attachments. Understanding exactly how Base64 works — and how to quickly encode/decode without introducing errors — is a core API debugging skill. Importantly, Base64 is encoding, not encryption: decoded data is readable by anyone.
Step-by-Step Instructions
Encode credentials for HTTP Basic Auth
For Basic Auth, combine username and password with a colon: username:password. Paste this into the Base64 Encoder below and copy the encoded output. Your Authorization header becomes: Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=. The trailing = is Base64 padding — it's expected.
Decode API responses to inspect binary data
Many APIs return binary data (images, PDFs, certificates) as Base64-encoded strings in JSON payloads. Paste the Base64 string into the Decoder to inspect its raw content. For text-based content (certificates, SSH keys, JWT components), you'll immediately see the readable data. For binary data like images, you'll see binary characters — use an Image to Base64 converter instead.
Handle JWT token components
JWT tokens consist of three Base64url-encoded parts separated by dots. The header and payload are Base64url encoded (uses - and _ instead of + and /, no padding). Paste individual parts into the decoder to inspect them manually — useful when debugging without a dedicated JWT Decoder tool available.
Encode API keys and secrets for environment variables
When storing binary secrets (encryption keys, certificate thumbprints) in environment variables or CI/CD secrets, Base64 encode them first. This prevents shell escaping issues with special characters. Decode them at runtime in your application code before use: secret = base64.b64decode(os.environ['API_SECRET']).
Debug webhook payloads
Some webhook systems (GitHub, Stripe) sign their payloads using HMAC and Base64-encode the signature. Decode the signature from the X-Hub-Signature or Stripe-Signature header to compare it with your computed signature. Use Hash Generator alongside the Base64 tool to verify the full HMAC signature chain.
Try It Now — Base64 Encode/Decode
Open full page →All processing happens in your browser — no data is sent to any server.
Before & After Example
# HTTP Basic Auth credentials: Username: api_user_prod Password: sk_live_xK9mN2pQ8rT4vW7y # Needs to be Base64 encoded for Authorization header: Authorization: Basic ??? # Also need to decode this JWT payload component: eyJzdWIiOiJ1c2VyXzEyMyIsImVtYWlsIjoiYWxpY2VAZXhhbXBsZS5jb20ifQ
# Basic Auth header (encoded):
Authorization: Basic YXBpX3VzZXJfcHJvZDpza19saXZlX3hLOW1OMnBROHJUNHZXN3k=
# Decoded JWT payload:
{
"sub": "user_123",
"email": "[email protected]"
}
# Rule: Base64 = encoding (not encryption!)
# Never use Base64 to "secure" sensitive data
Frequently Asked Questions
Is Base64 encoding secure for storing passwords?
No. Base64 is not encryption or hashing — it's reversible encoding. Anyone who has the Base64 string can decode it instantly. Never use Base64 to 'hide' passwords or sensitive data. Use proper password hashing (bcrypt, Argon2, scrypt) for passwords, and proper encryption (AES-256-GCM) for sensitive data at rest.
What's the difference between Base64 and Base64url?
Standard Base64 uses + and / characters plus = padding. Base64url replaces these with - and _ and removes padding — making it safe for URLs and HTTP headers without percent-encoding. JWT tokens use Base64url. When in doubt, check whether your target system expects standard Base64 or Base64url.
Why does my Base64 string end with == or =?
Base64 encodes 3 bytes as 4 characters. When the input length isn't a multiple of 3, padding characters (=) fill the gap. One = means 1 byte of padding (input length was 2 mod 3), two == means 2 bytes of padding. Some systems strip padding; others require it. The Base64 encoder here includes standard padding by default.
Related Workflows
Want the full Base64 Encode/Decode experience?
Open the standalone tool for more space, keyboard shortcuts, and additional features.
Open Base64 Encode/Decode →