What Is Base64

Base64 is an encoding scheme that represents binary data as ASCII text. It maps 3 bytes (24 bits) of input into 4 printable characters using an alphabet of 64 characters: uppercase A-Z, lowercase a-z, digits 0-9, plus (+), and forward slash (/).

Important: Base64 is encoding, not encryption. It transforms data into a different format but provides no security. Anyone can decode Base64 instantly with a simple tool.

Why Does Base64 Exist

Binary data often needs to travel through systems that only safely handle text. Base64 solves this problem by converting binary into readable ASCII.

You encounter Base64 in:

  • Email (MIME): Attachments are Base64-encoded before sending
  • JSON: Binary data embedded in JSON payloads
  • HTTP headers: Basic authentication credentials
  • Data URIs: Embedding images directly in HTML/CSS
  • JWT tokens: The payload segment uses Base64url
  • PEM certificates: X.509 certs are Base64-wrapped

How Base64 Works Mechanically

The encoding process converts input bytes into 6-bit groups, then maps each group to a character in the Base64 alphabet.

The Base64 Alphabet:

A-Z (0-25)
a-z (26-51)
0-9 (52-61)
+ (62)
/ (63)
= (padding)

Step-by-step example: Encoding "Man"

Input: M, a, n

ASCII values: M=77, a=97, n=110

Binary (8 bits each):

M: 01001101
a: 01100001
n: 01101110

Group into 6-bit chunks:

010011 010110 000101 101110

Decimal values: 19, 22, 5, 46

Base64 alphabet lookup:

19 = T
22 = W
5  = F
46 = u

Result: TWFu

Padding with the Equals Sign

Input isn't always a multiple of 3 bytes. Padding ensures output length is always a multiple of 4:

  • Input ends with 2 bytes: Add 1 equals sign (e.g., "dG8=")
  • Input ends with 1 byte: Add 2 equals signs (e.g., "YQ==")
  • Input is exact multiple of 3: No padding needed

Example: "Ma" encodes to "TWE=" (one byte short, so one padding character).

Base64url: The URL-Safe Variant

Standard Base64 uses + and / which conflict with URL syntax. Base64url replaces them:

  • + becomes - (hyphen)
  • / becomes _ (underscore)

Base64url is the standard for:

  • JWT tokens: Both the header and payload segments
  • OAuth 2.0: Code challenge in PKCE flows
  • URL parameters: Embedding data in query strings

Many Base64url implementations also omit padding, so you'll see JWTs without trailing = signs.

Where You Encounter Base64

JWT (JSON Web Tokens)

JWTs have three segments separated by periods: header.payload.signature. Each segment is Base64url-encoded.

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.signature

HTTP Basic Authentication

Credentials are Base64-encoded and sent in the Authorization header:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Decoded: username:password

Data URIs

Embed images directly in HTML/CSS without separate file requests:

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA...">

PEM Certificates

X.509 certificates wrap Base64 data between BEGIN/END markers:

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAI...
-----END CERTIFICATE-----

Email MIME Encoding

File attachments are Base64-encoded before transmission over SMTP.

Base64 Is NOT Encryption

Critical security point: Base64 is completely transparent to anyone with a decoder. Never use it to "hide" sensitive data. Always use proper encryption (AES, TLS) for actual security.

If you see sensitive data Base64-encoded, assume it's been exposed.

Character Encoding: UTF-8 and Base64

Base64 works on bytes, not characters. Non-ASCII characters (emoji, accented letters) need UTF-8 encoding first.

In JavaScript, btoa() only accepts single-byte characters. For multi-byte UTF-8:

// Wrong: btoa("café") throws error
// Right: btoa(encodeURIComponent("café"))
// Result: Y2Fmw6k=

Always UTF-8 encode text before Base64 encoding non-ASCII content.

Size Overhead

Base64 expands data by approximately 33%. The formula:

Base64 size = (input size / 3) × 4
= input size × 1.33

A 1 MB file becomes ~1.33 MB when Base64-encoded. This matters for data URIs and email attachments.

Related Tools

Try it yourself:

Learn More