💻 Text & Dev

📦 📦 Base64 Encoder / Decoder: How Base64 Encoding Works

Learn how Base64 encoding works and where it's used. Covers the encoding algorithm, why it expands data by 33%, common uses in emails, images, JWTs, and data URIs.

⏱️ 8 min read🦉 365tool.net🌍 For everyone worldwide

Base64 is a binary-to-text encoding scheme that converts any binary data — images, files, cryptographic keys, or arbitrary bytes — into a string of 64 printable ASCII characters. It's ubiquitous in web development, email systems, JWTs, and APIs. Understanding what Base64 does (and what it doesn't do) prevents common misconceptions about security and data handling.

Why Base64 Exists

Many systems that transmit or store data were designed to handle text, not arbitrary binary bytes. Email protocols (SMTP), HTML, JSON, and many database fields work natively with text. Binary data embedded directly in these systems can corrupt or break, because certain byte values (like 0x00 null bytes, or bytes that look like control characters) are interpreted as commands rather than data.

Base64 solves this by converting binary data into a safe subset of ASCII characters that can travel through any text-based channel without corruption.

The Base64 Alphabet

Base64 uses 64 characters: A–Z (26), a–z (26), 0–9 (10), + and / (2) = 64 total. The = sign is used as padding.

Each Base64 character represents exactly 6 bits of data (since log₂(64) = 6).

How the Encoding Works

  1. Take the input bytes
  2. Group the bits into chunks of 6 (instead of 8)
  3. Map each 6-bit value to the corresponding Base64 character
  4. Add = padding if the input isn't a multiple of 3 bytes

Worked Example: Encode "Man"

ASCII bytes: M=77 (01001101), a=97 (01100001), n=110 (01101110)

Binary: 010011 010110 000101 101110

Decimal: 19, 22, 5, 46

Base64 characters: T, W, F, u → TWFu

Why Base64 Increases Data Size by 33%

3 bytes (24 bits) of input become 4 Base64 characters (still 24 bits, but each character is one byte = 32 bits overhead). The expansion factor is precisely 4/3 ≈ 1.333.

  • 1 KB binary → ~1.33 KB Base64
  • 1 MB image → ~1.33 MB Base64
  • 100 KB file → ~133 KB Base64

This size increase is the main cost of Base64 encoding. For this reason, Base64-encoded images embedded in HTML (data URIs) should be used sparingly — they inflate HTML document size and can't be separately cached by browsers.

Common Uses of Base64

Email Attachments (MIME)

SMTP email protocol was originally designed for 7-bit ASCII text. Email attachments (PDFs, images, office documents) are Base64-encoded before transmission. Your email client automatically decodes them when displaying. This is why the email standard is called MIME (Multipurpose Internet Mail Extensions).

Data URIs (Images in HTML/CSS)

Images can be embedded directly in HTML or CSS without a separate HTTP request:

<img src="data:image/png;base64,iVBORw0KGgo...">

Useful for small icons and thumbnails where the round-trip HTTP request would cost more than the 33% size overhead. Not recommended for large images.

JSON Web Tokens (JWT)

JWTs use Base64URL encoding (a variant of Base64 that replaces + with - and / with _ to make the result URL-safe). A JWT has three parts separated by dots: header.payload.signature — all Base64URL encoded. The payload contains claims like user ID and permissions.

Important: JWT Base64 encoding is NOT encryption. Anyone can decode the payload and read its contents. JWTs are verified by signature, not hidden by encoding.

API Credentials (HTTP Basic Auth)

HTTP Basic Authentication sends credentials as Base64-encoded "username:password" in the Authorization header:

Authorization: Basic dXNlcjpwYXNzd29yZA==

This is not secure on its own — anyone who intercepts the request can decode it instantly. Always use Basic Auth over HTTPS only.

Cryptographic Keys and Certificates

PEM format (Privacy Enhanced Mail) uses Base64 to encode SSL/TLS certificates, SSH keys, and other cryptographic objects between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.

Base64 vs Encryption: A Critical Distinction

Base64 is encoding, not encryption. It is completely reversible by anyone — no key is required to decode it. "Encoded" text is not secret or protected. Anyone who sees Base64-encoded data can decode it in seconds using any Base64 decoder.

Do not use Base64 to "hide" passwords, API keys, or sensitive data. For actual security, use proper encryption (AES, RSA) or hashing (SHA-256, bcrypt for passwords).

Try It Yourself! ✨

Use our free Base64 Encoder / Decoder — results appear as you type. No sign-up needed!

🚀 Open Base64 Encoder / Decoder Free

❓ Frequently Asked Questions

What is Base64 encoding?
Base64 is a binary-to-text encoding that converts any binary data into 64 printable ASCII characters (A–Z, a–z, 0–9, +, /). It allows binary content — images, files, cryptographic keys — to be safely embedded in text-based systems like email, HTML, JSON, or URLs that weren't designed for raw binary data.
Why does Base64 increase file size?
Base64 encodes every 3 bytes of input into 4 characters, a 33% size increase. This is because each Base64 character represents 6 bits (log₂(64)=6), while each byte is 8 bits. The ratio is 4 characters × 8 bits = 32 bits output per 3 bytes × 8 bits = 24 bits input. A 1 MB image becomes approximately 1.33 MB when Base64 encoded.
Is Base64 a form of encryption?
No. Base64 is encoding, not encryption. It's completely reversible by anyone with no key required — it just changes the representation of data. Base64-encoded content is not secret or protected. Never use Base64 to hide passwords, API keys, or sensitive data. Use proper encryption (AES, RSA) for security and hashing (SHA-256, bcrypt) for passwords.
What are JWTs and how do they use Base64?
JSON Web Tokens (JWTs) use Base64URL encoding (Base64 with + replaced by - and / replaced by _ for URL safety) to encode three parts: header.payload.signature. The payload contains claims like user ID and expiry. Base64URL encoding makes JWTs readable and URL-safe, but the content is not hidden — anyone can decode the header and payload. The signature (using a secret key) is what makes JWTs tamper-proof.
What is the difference between Base64 and Base64URL?
Standard Base64 uses + and / characters, which have special meaning in URLs. Base64URL replaces + with - and / with _, and typically omits the = padding. Base64URL is used wherever Base64 data appears in URLs or file names — notably in JWTs, OAuth tokens, and web API responses. Standard Base64 is used in email, data URIs, and most file encoding contexts.