Base64 is a way of representing binary data (anything from images to executables) using only the 64 characters that are safe to put in text. It is not encryption, it is not compression, and it does not protect anything. It exists to solve one specific problem: getting binary data through systems that only handle text safely.
Key Takeaways
- Base64 encodes binary data as ASCII text using 64 characters: A–Z, a–z, 0–9, and two extras (typically + and /).
- It expands data size by roughly 33%: every 3 bytes of input becomes 4 characters of output.
- Common uses: email attachments, data URIs in HTML/CSS, JSON payloads, JWTs.
- Base64 is not encryption; anyone can decode it instantly.
- Base64 is not compression; the encoded output is larger than the input.
Why Base64 Exists
Many systems were designed to handle text, not arbitrary binary data:
- Email (SMTP) historically transmitted only 7-bit ASCII characters
- JSON and XML are text-based; embedding raw binary breaks them
- URLs have characters that have special meaning (
?,&,#) - HTTP headers are text fields
- Some databases prefer text columns for portability
If you try to put a JPEG image into any of these systems, the binary bytes can contain values that look like control characters, line breaks, or syntax markers, and the system breaks.
Base64 solves this by converting any binary data into a sequence of safe text characters. The receiving system decodes it back to the original bytes.
How the Encoding Works
Base64 takes 3 bytes (24 bits) of input and produces 4 characters (each representing 6 bits) of output. The 64 characters are:
- 26 uppercase letters: A–Z
- 26 lowercase letters: a–z
- 10 digits: 0–9
- 2 special characters: usually
+and/
That's 64 total, hence the name. The = character is used as padding when the input length isn't a multiple of 3.
Worked Example: Encoding "Cat"
The word "Cat" is 3 bytes:
- C = 67 (binary 01000011)
- a = 97 (binary 01100001)
- t = 116 (binary 01110100)
Combined into one 24-bit string: 010000 110110 000101 110100
Split into 4 groups of 6 bits, each becomes a number 0–63:
- 010000 = 16 → 'Q'
- 110110 = 54 → '2'
- 000101 = 5 → 'F'
- 110100 = 52 → '0'
Result: "Q2F0". The Base64 of "Cat" is "Q2F0".
Padding
If the input isn't a multiple of 3 bytes, the encoder pads:
- "Ca" (2 bytes) → "Q2E=" (4 chars with one
=) - "C" (1 byte) → "Qw==" (4 chars with two
=)
Padding ensures the output length is always a multiple of 4 characters.
Size Expansion
Base64 always increases data size by 4/3 (about 33%) plus a few characters for padding. This is the trade-off: safety in text-only systems at the cost of larger payload.
| Input Size | Base64 Size |
|---|---|
| 100 bytes | 136 chars |
| 1 KB | ~1.37 KB |
| 1 MB | ~1.37 MB |
| 10 MB | ~13.7 MB |
For large files, this expansion is significant. For small files or short tokens, it doesn't matter.
Where Base64 Is Used
Data URIs in HTML/CSS: Embed small images directly in the markup.
<img src="data:image/png;base64,iVBORw0KGgoAAAANS...">background-image: url("data:image/svg+xml;base64,PHN2Zy...");Useful for tiny images (icons, sprites) where avoiding a separate HTTP request matters. For larger images, the file size penalty outweighs the request savings.
Email attachments (MIME): Email was designed for 7-bit text. To attach a PDF or image, the email client Base64-encodes the file and embeds it in the message body. The receiving client decodes it.
JSON web tokens (JWT): A JWT consists of three Base64-encoded sections separated by dots. The encoding makes the token URL-safe and easy to transmit in HTTP headers.
Basic Authentication: HTTP basic auth Base64-encodes username:password in the Authorization header. Note: this is NOT secure; anyone seeing the encoded string can decode it instantly. Use HTTPS to make it transport-secure.
Configuration files: YAML, JSON, and INI files sometimes need to embed binary blobs (certificates, keys, small files). Base64 lets them sit as text values.
API payloads: When an API needs to accept a small binary payload through a JSON body, Base64 is the standard encoding.
Base64 Variants
The standard Base64 uses + and / as the two extra characters. Some variants change this:
- Base64URL (RFC 4648): uses
-and_instead, so the output is safe in URLs without further encoding. Used in JWTs. - MIME Base64: standard Base64 with line breaks every 76 characters, for email compatibility.
Different variants are not interchangeable; decode with the right variant for the source.
Base64 Is Not Encryption
The most common misunderstanding: Base64 is not security. It's a transcription, not a transformation. Anyone with the encoded string can decode it to the original in under a second using any Base64 decoder.
A password "MyP@ssw0rd" in Base64 is "TXlQQHNzdzByZA==". Anyone who copies that string can decode it instantly. To protect a password, you need actual encryption (AES, RSA) or hashing (bcrypt, Argon2).
Base64 is sometimes used inside a larger encryption scheme (e.g., the encrypted bytes are Base64-encoded for transport). The encryption protects the content; the Base64 just makes it text-safe.
Common Mistakes
Using Base64 for security. It's reversible by anyone, instantly.
Forgetting padding. Some decoders are strict about = padding; others tolerate missing padding. Inconsistent handling can cause errors.
Using standard Base64 in a URL. The + and / characters are special in URLs. Use Base64URL (with - and _) for URL-embedded data.
Embedding large images as Base64 data URIs. Inflates HTML/CSS file size, reduces caching efficiency. Use real image files for anything above ~10 KB.
Confusing Base64 with hex encoding. Both convert binary to text. Hex is 50% expansion (2 chars per byte) and uses only 16 characters; Base64 is 33% expansion with 64 characters.
Treating Base64 output as compressed. Base64 is always larger than the input, never smaller.
Practical Scenarios
Scenario 1: Embedding a small icon. A 1 KB SVG icon as a Base64 data URI: ~1.37 KB. Eliminates one HTTP request, simplifies deployment. Worth it for very small assets.
Scenario 2: API request with file. Mobile app uploads a profile photo via JSON API. Read photo as bytes → Base64-encode → put in JSON body. Server decodes back to bytes and saves.
Scenario 3: Email with attachment. Email client wraps a 5 MB PDF in Base64 (becomes ~6.8 MB), sends. Receiving client decodes back to the original 5 MB PDF.
Scenario 4: Storing a secret in environment config. A YAML config needs to embed a TLS certificate. Base64-encode the certificate, store as a single string value. Application decodes at runtime.
Scenario 5: JWT. A 200-byte JSON payload becomes a ~280-character Base64URL string. Compact, URL-safe, includes a signature.
Hex vs Base64
| Feature | Hex (Base16) | Base64 |
|---|---|---|
| Characters | 0–9, A–F (16 total) | A-Z, a-z, 0-9, +, / (64 total) |
| Expansion | 100% (2x size) | 33% |
| Readability | Easier for humans | Less readable |
| Common uses | Color codes, hashes, low-level data | Binary in text contexts |
| Case sensitivity | Often case-insensitive | Case-sensitive |
Both are valid choices for binary-to-text encoding. Base64 wins for efficiency; hex wins for human readability and debugging.
FAQ
What does Base64 do? It converts binary data (bytes) into ASCII text using 64 safe characters, so binary can travel through systems that only handle text reliably.
Is Base64 encryption? No. Base64 is just a reversible encoding scheme. Anyone can decode it instantly without a key. It is not a security mechanism.
Is Base64 compression? No. Base64 makes data larger, not smaller, by about 33%.
When should I use Base64? When you need to embed binary data inside a text format: email attachments, JSON payloads, data URIs in HTML/CSS, tokens, or text-only storage systems.
Why is Base64 33% larger? It uses 4 output characters to represent 3 input bytes. 4/3 = 1.33, hence the ~33% expansion. There's no way around this with the 64-character alphabet.
What's the difference between Base64 and Base64URL? Standard Base64 uses + and / characters. Base64URL replaces them with - and _ so the output is safe to use in URLs without additional encoding. Common in JWTs and OAuth tokens.
Can I decode Base64 by hand? In principle yes, but it's tedious. The standard alphabet has 64 characters; each represents 6 bits. Group them into sets of 4, convert each character to its 6-bit value, concatenate, then split into bytes. Easier to use a converter.
Related Tools
The Base64 Encoder and Base64 Decoder handle conversions in both directions. The Image to Base64 converter is specifically for creating data URIs from images. For URL-safe encoding, see the URL Encoder.
Related Articles
Final Thoughts
Base64 is one of those infrastructure-level tools you barely notice until you need it, then it's everywhere. The trade-off is simple: 33% size penalty in exchange for safe transport through text-only systems. Once you know what it is (encoding, not encryption) and where it shows up (emails, tokens, data URIs, JSON), the mental model is complete. The trickier skill is knowing when not to use it: anywhere a real binary channel is available, raw binary is faster and smaller.