The Problem Base64 Solves
Computers store everything as binary โ sequences of 0s and 1s. But many systems designed to move data around (email protocols, HTTP headers, URLs, XML, JSON) were built to handle text, specifically the ASCII character set. When binary data (an image, a PDF, an audio file) needs to travel through one of these text-based systems, problems arise: some binary byte values correspond to control characters that the protocol interprets as commands, corrupting the data in transit.
Base64 was invented to solve this problem. It converts binary data into a safe subset of printable ASCII characters โ specifically the 64 characters AโZ, aโz, 0โ9, +, and / โ that can pass through any text-based system without corruption. The "64" refers to the size of this alphabet.
How Base64 Encoding Works
Base64 processes input data in groups of three bytes (24 bits) at a time. Each group of 24 bits is split into four groups of 6 bits each. Each 6-bit group (values 0โ63) maps to one of the 64 characters in the Base64 alphabet.
The result is that every 3 bytes of input become 4 Base64 characters โ a size increase of exactly one-third (33%). If the input is not divisible by 3, one or two padding characters (=) are added to make the output length a multiple of 4.
Example: The ASCII text "Man" encoded in Base64 is "TWFu".
- M = 77 = 01001101
- a = 97 = 01100001
- n = 110 = 01101110
- Combined 24 bits: 010011 010110 000101 101110
- Mapped to Base64 alphabet: T W F u
Where You Encounter Base64
Base64 is everywhere in modern software, often invisibly:
- Email attachments โ The MIME standard uses Base64 to encode attachments so they can travel through SMTP, an originally text-only protocol.
- JSON Web Tokens (JWTs) โ JWTs encode their header and payload as Base64URL (a URL-safe variant using - and _ instead of + and /). You can decode the payload of any JWT directly to see the claims inside.
- HTTP Basic Authentication โ The Authorization header encodes "username:password" as Base64. Important: this is encoding, not encryption โ it is trivially reversible and provides no security over plain HTTP.
- Data URIs in HTML/CSS โ Small images and fonts can be embedded directly in HTML or CSS as Base64-encoded data URIs:
src="data:image/png;base64,iVBOR...". This eliminates an extra HTTP request for small assets. - Certificates and keys โ SSH public keys, TLS certificates, and PEM-format private keys are Base64-encoded binary data wrapped in header/footer lines.
- API payloads โ Binary files (images, documents) included in JSON API requests are typically Base64-encoded so they can be safely embedded in a JSON string.
Base64 Is Encoding, Not Encryption
This distinction is critically important and frequently confused. Base64 has no secret key. Anyone who sees a Base64-encoded string can decode it instantly โ it is a completely reversible, publicly documented transformation. It provides zero security.
HTTP Basic Auth sends credentials encoded in Base64 over the wire. If the connection is not encrypted (HTTPS), anyone intercepting the traffic can decode the credentials in seconds. Base64 does not protect them โ HTTPS does.
Never use Base64 as a security measure. Use it only for what it was designed for: safely transmitting binary data through text-based systems.
Base64 vs Base64URL
Standard Base64 uses + and / in its alphabet. These characters have special meanings in URLs (+ means space, / separates path segments), which causes problems when Base64 strings appear in URLs or URL parameters.
Base64URL is a variant that replaces + with - and / with _ to create URL-safe strings. JWTs use Base64URL. When working with tokens in URLs, always check which variant is expected โ they are not interchangeable without converting between the two character sets.
When Should You Actually Use Base64?
Use Base64 when you need to embed binary data in a text-based context:
- Sending a file in a JSON API request body
- Embedding a small image as a Data URI in HTML or CSS
- Working with JWTs, PEM certificates, or SSH keys
- Storing binary data in a text field in a database
Do not use Base64 when the data is already text, when you are trying to compress data (Base64 expands by 33%), or when you think it provides any security benefit.
Encode and decode Base64 instantly with our free Base64 Encoder / Decoder โ works entirely in your browser.