DevToolbox
All articles

What Is Base64 Encoding? A Developer's Guide

ยท 7 min read

If you have spent any time working with APIs, email protocols, or image embeds in CSS, you have almost certainly encountered Base64-encoded strings โ€” long blocks of letters, numbers, and + / / characters that end with one or two equals signs. This guide explains exactly what Base64 is, why it was invented, and when you should (and should not) use it.

The Core Problem Base64 Solves

Computers store and transmit data as binary โ€” sequences of 0s and 1s. Early internet protocols like SMTP (email) and HTTP were designed to transfer text, not arbitrary binary data. They operated on the assumption that all bytes would be printable ASCII characters (values 0โ€“127). Sending a raw binary file โ€” a JPEG image, a PDF, an executable โ€” through these channels would corrupt the data because certain byte values (like null bytes or control characters) were interpreted as special protocol commands.

Base64 solves this by representing any arbitrary binary data using only 64 safe printable characters: Aโ€“Z, aโ€“z, 0โ€“9, +, and /. An equals sign (=) is used as padding. Because these characters are universally safe to transmit through any text-based protocol, the encoded output arrives uncorrupted on the other side.

How Base64 Encoding Works

The algorithm works in groups of three bytes at a time. Each group of 3 bytes (24 bits) is split into four 6-bit chunks. Each 6-bit chunk maps to one of the 64 characters in the Base64 alphabet. Since 3 bytes become 4 characters, Base64 encoding inflates the data size by roughly 33%.

Here is a concrete example. Encoding the ASCII string Man:

M        a        n
01001101 01100001 01101110

Split into 6-bit groups:
010011  010110  000101  101110
  19      22      5      46

Base64 alphabet:
T       W       F       u

Result: TWFu

When the input is not a multiple of three bytes, padding characters (= or ==) are appended to bring the output length to a multiple of four characters.

URL-Safe Base64

The standard Base64 alphabet uses + and /, but these characters have special meaning in URLs. A URL-safe variant replaces them with - and _ respectively and typically omits the padding = signs. You will see this variant used in JWT tokens, where the header and payload are Base64url-encoded.

Common Uses of Base64

  • Email attachments โ€” MIME encodes binary attachments as Base64 so they survive SMTP transport.
  • Data URIs โ€” Embedding images, fonts, or small files directly in HTML or CSS: src="data:image/png;base64,iVBORw0K..."
  • API payloads โ€” Sending binary data (avatars, signatures, certificates) in a JSON body, which only carries strings.
  • JWT tokens โ€” The header and payload of a JSON Web Token are Base64url-encoded (not encrypted).
  • Basic HTTP authentication โ€” The Authorization: Basic header encodes username:password as Base64.

Base64 Is Not Encryption

This is the most important misconception to dispel. Base64 encoding is completely reversible by anyone who sees the encoded string โ€” no key, no password. It is a representation format, not a security mechanism. Storing a password as a Base64 string provides zero protection.

For confidentiality, use actual encryption (AES, RSA). For integrity verification, use a cryptographic hash (SHA-256, SHA-512). Base64 is only about making binary data safe to pass through text-based systems.

Base64 vs Hex Encoding

Hex encoding (also called hexadecimal or Base16) is another common way to represent binary as text. It uses 16 characters (0โ€“9, aโ€“f) and encodes each byte as exactly two characters โ€” meaning hex output is twice the size of the original data (100% overhead), compared to Base64's 33%. Base64 is more compact; hex is more human-readable for short values like hash digests.

Decoding Base64 in Different Languages

Most platforms provide native Base64 support:

# Python
import base64
decoded = base64.b64decode("SGVsbG8gV29ybGQ=")  # b'Hello World'

# JavaScript (browser)
atob("SGVsbG8gV29ybGQ=")  // "Hello World"

# Node.js
Buffer.from("SGVsbG8gV29ybGQ=", "base64").toString()  // "Hello World"

# Bash
echo "SGVsbG8gV29ybGQ=" | base64 --decode  # Hello World

Key Takeaways

  • Base64 converts binary data to safe printable ASCII text, adding ~33% size overhead.
  • It was invented to safely transport binary through text-only protocols like SMTP.
  • It is not encryption โ€” anyone can decode it instantly.
  • URL-safe Base64 (-_ instead of +/) is used in JWTs and other URL contexts.
Try it free
Base64 Encoder / Decoder
100% client-side ยท no signup ยท no upload
Open tool โ†’