HTTP Basic Authentication
HTTP Basic Auth sends credentials in the Authorization header as: Authorization: Basic <base64(username:password)>. The Base64 encoding is purely for format compatibility. The actual security requires HTTPS/TLS — without transport encryption, the encoded credentials are as exposed as plaintext.
API Keys and Bearer Tokens
Many API keys are Base64-encoded random bytes. The encoding ensures the key contains only safe ASCII characters for HTTP headers. The security comes from the cryptographic randomness of the underlying bytes — the encoding is incidental.
JWT Payload Encoding
JWT tokens encode three parts in URL-safe Base64: the algorithm header, the claims payload, and the signature. The payload is readable by anyone — it's not encrypted. Security comes entirely from the signature: only the server holding the signing key can produce a valid signature.
OAuth and Other Protocols
OAuth 2.0 uses Base64 encoding for client_id:client_secret encoding in the client credentials flow, mirroring HTTP Basic Auth. In each case, the encoding is a format requirement, not a security contribution.
In authentication systems, Base64 is always a format mechanism — security comes from TLS, cryptographic signatures, or random generation. Never assume the presence of Base64 implies the presence of security.