Learn how Base64 encoding works and where it's used. Covers the encoding algorithm, why it expands data by 33%, common uses in emails, images, JWTs, and data URIs.
Base64 is a binary-to-text encoding scheme that converts any binary data — images, files, cryptographic keys, or arbitrary bytes — into a string of 64 printable ASCII characters. It's ubiquitous in web development, email systems, JWTs, and APIs. Understanding what Base64 does (and what it doesn't do) prevents common misconceptions about security and data handling.
Many systems that transmit or store data were designed to handle text, not arbitrary binary bytes. Email protocols (SMTP), HTML, JSON, and many database fields work natively with text. Binary data embedded directly in these systems can corrupt or break, because certain byte values (like 0x00 null bytes, or bytes that look like control characters) are interpreted as commands rather than data.
Base64 solves this by converting binary data into a safe subset of ASCII characters that can travel through any text-based channel without corruption.
Base64 uses 64 characters: A–Z (26), a–z (26), 0–9 (10), + and / (2) = 64 total. The = sign is used as padding.
Each Base64 character represents exactly 6 bits of data (since log₂(64) = 6).
ASCII bytes: M=77 (01001101), a=97 (01100001), n=110 (01101110)
Binary: 010011 010110 000101 101110
Decimal: 19, 22, 5, 46
Base64 characters: T, W, F, u → TWFu
3 bytes (24 bits) of input become 4 Base64 characters (still 24 bits, but each character is one byte = 32 bits overhead). The expansion factor is precisely 4/3 ≈ 1.333.
This size increase is the main cost of Base64 encoding. For this reason, Base64-encoded images embedded in HTML (data URIs) should be used sparingly — they inflate HTML document size and can't be separately cached by browsers.
SMTP email protocol was originally designed for 7-bit ASCII text. Email attachments (PDFs, images, office documents) are Base64-encoded before transmission. Your email client automatically decodes them when displaying. This is why the email standard is called MIME (Multipurpose Internet Mail Extensions).
Images can be embedded directly in HTML or CSS without a separate HTTP request:
<img src="data:image/png;base64,iVBORw0KGgo...">
Useful for small icons and thumbnails where the round-trip HTTP request would cost more than the 33% size overhead. Not recommended for large images.
JWTs use Base64URL encoding (a variant of Base64 that replaces + with - and / with _ to make the result URL-safe). A JWT has three parts separated by dots: header.payload.signature — all Base64URL encoded. The payload contains claims like user ID and permissions.
Important: JWT Base64 encoding is NOT encryption. Anyone can decode the payload and read its contents. JWTs are verified by signature, not hidden by encoding.
HTTP Basic Authentication sends credentials as Base64-encoded "username:password" in the Authorization header:
Authorization: Basic dXNlcjpwYXNzd29yZA==
This is not secure on its own — anyone who intercepts the request can decode it instantly. Always use Basic Auth over HTTPS only.
PEM format (Privacy Enhanced Mail) uses Base64 to encode SSL/TLS certificates, SSH keys, and other cryptographic objects between -----BEGIN CERTIFICATE----- and -----END CERTIFICATE----- markers.
Base64 is encoding, not encryption. It is completely reversible by anyone — no key is required to decode it. "Encoded" text is not secret or protected. Anyone who sees Base64-encoded data can decode it in seconds using any Base64 decoder.
Do not use Base64 to "hide" passwords, API keys, or sensitive data. For actual security, use proper encryption (AES, RSA) or hashing (SHA-256, bcrypt for passwords).
Use our free Base64 Encoder / Decoder — results appear as you type. No sign-up needed!
🚀 Open Base64 Encoder / Decoder Free