TL;DR
- → Base64 converts binary data to plain ASCII text so it travels safely through systems that only handle text.
- → It is encoding, not encryption — anyone can decode it instantly. Never use it for security.
- → Encode and decode any string instantly with the free Base64 Encoder / Decoder.
Advertisement Space
You have almost certainly encountered Base64 without knowing it. It appears in JWT tokens, email attachments, embedded images in CSS, API authentication headers, and data URIs. Understanding what it is — and what it is not — saves you from two common mistakes: thinking it provides security, and not knowing when it is the right tool.
Use the Base64 Encoder / Decoder alongside this post to see the output for any input you have in mind.
The Problem Base64 Solves
Binary data — images, audio, compiled files — contains byte values that many text-based protocols cannot handle. Email (SMTP), HTTP headers, and XML parsers all expect printable ASCII characters. If you try to send raw binary through them, the data gets corrupted.
Base64 solves this by re-encoding binary bytes into a 64-character alphabet: A–Z, a–z, 0–9, +, and /. Every byte value in that alphabet is printable and safe to transmit through any text-based system.
How It Works
Base64 converts data in groups of 3 bytes → 4 characters:
Each 6-bit group maps to one of the 64 characters in the Base64 alphabet. 3 input bytes always produce exactly 4 output characters. If the input length is not divisible by 3, = padding is added to complete the final group.
Where You Will See It
| Use Case | Example | Why Base64? |
|---|---|---|
| HTTP Basic Auth | Authorization: Basic dXNlcjpwYXNz | Encodes username:password for headers |
| JWT tokens | eyJhbGciOiJSUzI1NiJ9... | Encodes header + payload as Base64url |
| Email attachments | MIME encoded files | SMTP only handles 7-bit ASCII text |
| Data URIs | data:image/png;base64,... | Embeds binary images in HTML/CSS |
| API keys / secrets | Many SaaS token formats | Compact, URL-safe string representation |
| SSH keys | ssh-rsa AAAA... | Encodes the binary key material |
Base64 vs Base64url
Standard Base64 uses + and /, which are reserved characters in URLs. Base64url replaces them:
| Variant | Characters | Use when |
|---|---|---|
| Base64 | + and / | Email, file storage, data URIs |
| Base64url | - and _ (instead of + and /) | URLs, JWTs, filenames, query strings |
When Not to Use It
✗ Do not use it for security
Base64 is reversible by anyone with a decoder. Storing passwords as Base64 is equivalent to storing them in plain text. Use bcrypt, scrypt, or Argon2 for passwords. Use AES-256 for symmetric encryption of sensitive data.
✗ Do not use it for large files
Base64 inflates file size by ~33%. A 10MB image becomes ~13.3MB encoded. Serve images as files with proper caching rather than embedding them as data URIs.
✗ Do not use it as compression
Base64 makes data larger, not smaller. If you need to reduce payload size, use gzip or Brotli compression, then optionally encode if the transport requires text.
Quick Reference: Encoding in Code
JavaScript (browser)
btoa("hello") // encode
atob("aGVsbG8=") // decodeJavaScript (Node.js)
Buffer.from("hello").toString("base64") // encode
Buffer.from("aGVsbG8=", "base64").toString() // decodePython
import base64
base64.b64encode(b"hello") # encode
base64.b64decode("aGVsbG8=") # decodeBash
echo -n "hello" | base64 # encode echo "aGVsbG8=" | base64 -d # decode
For one-off tasks, skip the code entirely — paste any string into the Base64 Encoder / Decoder and get the result instantly.
Frequently Asked Questions
Is Base64 a form of encryption?
No. Base64 is encoding, not encryption. It transforms data into a different representation, but anyone who sees the Base64 string can decode it instantly — no key required. Never use Base64 to hide sensitive data like passwords or tokens. Use proper encryption (AES, RSA) for that. Base64 is for safe transport, not security.
Why does Base64 output end with == or =?
Base64 works in groups of 3 bytes at a time, converting them to 4 characters. If the input isn't divisible by 3, padding characters (=) are added to fill the final group. One = means the last group had 2 bytes; == means it had 1 byte. The padding ensures decoders know exactly where the data ends.
Does Base64 make data larger?
Yes — Base64-encoded data is roughly 33% larger than the original. Every 3 bytes of input become 4 characters of output. This is the trade-off: you gain compatibility (plain text travels anywhere) but pay in size. For large files like images or videos, this overhead adds up — which is why Base64 is better suited to small payloads like API tokens or embedded icons.
What is the difference between Base64 and Base64url?
Standard Base64 uses + and / characters, which have special meaning in URLs (+ is a space, / is a path separator). Base64url replaces + with - and / with _, making the output safe to include in URLs and filenames without percent-encoding. JWTs use Base64url for exactly this reason. When in doubt about which to use, check whether your output will appear in a URL — if yes, use Base64url.
Can I use Base64 to embed images in HTML or CSS?
Yes. Data URIs use Base64 to embed image content directly in HTML or CSS, eliminating a separate HTTP request. The format is: data:[mimetype];base64,[encoded-data]. For example: <img src="data:image/png;base64,iVBORw0KGgo...">. This is useful for small icons (under ~5KB) where the round-trip cost of an HTTP request outweighs the 33% size overhead. For larger images, a regular URL is faster.