All articles
Encoding

Base64, Base64URL, and Hex: Encoding Secrets

Generate Secret Keys team June 4, 2026 6 min read

Keys, hashes, and tokens are really just bytes. But you can't paste raw bytes into a config file, an HTTP header, or a URL — so we encode them into printable text. Three encodings dominate: hexadecimal, Base64, and Base64URL. Choosing the right one avoids a whole class of "why is my key broken?" bugs.

First: encoding is not encryption

This trips people up constantly. Base64 and hex provide no security — anyone can decode them back to the original bytes instantly. They're about representation, not protection. A Base64-encoded secret is exactly as sensitive as the raw bytes; encoding just makes it safe to transport, not safe to expose.

Hexadecimal

Hex represents each byte as two characters from 0–9a–f. It's the simplest and most universally safe encoding — no special characters, copy-pastes anywhere.

  • Alphabet: 16 symbols.
  • Size: 2 characters per byte, so a 32-byte key is 64 hex characters.
  • Best for: hashes, fingerprints, and anywhere maximum compatibility beats compactness.

Base64

Base64 packs 3 bytes into 4 characters using A–Z, a–z, 0–9, plus + and /, and pads the end with =. It's about 33% more compact than hex.

  • Alphabet: 64 symbols + = padding.
  • Size: ~4 characters per 3 bytes; a 32-byte key is 44 characters.
  • Watch out: +, /, and = have special meaning in URLs and filenames and often get mangled or percent-encoded.

Base64URL

Base64URL is the same idea with two substitutions that make it safe for URLs and filenames: + becomes -, / becomes _, and the = padding is usually dropped. This is the encoding used inside JWTs, and it's an excellent default for tokens and secrets that might end up in a query string or path.

Which should you use?

  • Going into a URL, header, JWT, or filename? Use Base64URL.
  • Want maximum compatibility and don't mind the length? Use hex.
  • Plain Base64? Fine for request bodies and config where +/= are handled correctly — just not in raw URLs.

One reassurance: the encoding never changes the secret's strength. 32 random bytes is 256 bits of entropy whether you show it as 64 hex chars or 43 Base64URL chars.

Convert and generate here

The Crypto Tools tab can transform text to Base64, Base64URL, or hex, and the key, JWT, salt, and token generators all let you pick the output encoding directly — locally in your browser.

Need to encode something? Convert text to Base64, Base64URL, or hex instantly with the transform tool.

Open the transform tool