Base64 is an encoding scheme that converts binary data into a string of ASCII text using 64 printable characters. The name comes directly from the 64 characters used: A–Z (26), a–z (26), 0–9 (10), and two symbols — typically + and / — giving exactly 64 characters. An = sign is used for padding.
Base64 is not encryption. Anyone can decode a Base64 string instantly without a key. Its purpose is compatibility, not security.
Why Base64 exists
Many systems — email protocols, HTML attributes, JSON fields, XML — were designed to handle text only. Binary data (images, files, certificates) cannot be safely embedded in these text-based formats because certain byte values are interpreted as control characters. Base64 solves this by converting any binary data into a safe subset of ASCII characters that travels through text-only systems without corruption.
The 64 characters
| Range | Characters | Count |
|---|---|---|
| Uppercase | A–Z | 26 |
| Lowercase | a–z | 26 |
| Digits | 0–9 | 10 |
| Symbols | + and / | 2 |
| Total | 64 | |
| Padding | = | not counted |
URL-safe Base64 replaces + with − and / with _ so the output can be used in URLs and filenames without percent-encoding.
How Base64 encoding works — step by step
Encoding the word "Man":
- Convert to ASCII bytes: M = 77, a = 97, n = 110
- Convert to binary: 01001101 01100001 01101110
- Regroup into 6-bit chunks: 010011 010110 000101 101110
- Map each 6-bit value to a Base64 character: T W F u
- Result: TWFu
Every 3 bytes of input produce exactly 4 Base64 characters. If the input length is not divisible by 3, = padding characters fill the remaining space.
Size overhead
Base64 increases data size by approximately 33%. Every 3 bytes become 4 characters. A 1MB image becomes roughly 1.37MB when Base64 encoded. This overhead is the main tradeoff — text compatibility at the cost of size.
When to use Base64
Use it for: embedding small images or fonts in CSS as data URLs; passing binary data in JSON or XML APIs; email attachments encoded as MIME parts; storing binary blobs in databases that only support text; JWT tokens (the header and payload sections are Base64URL encoded).
Do not use it for: large files — the 33% overhead adds up quickly; security — it is not encryption and provides zero protection; compressing data — Base64 makes data larger, not smaller.
How base64 encoding actually works
Base64 works by taking 3 bytes of binary data (24 bits) and splitting them into four 6-bit groups. Each 6-bit group maps to one of 64 characters: A–Z (0–25), a–z (26–51), 0–9 (52–61), + (62), and / (63). This is why base64 output is always roughly 33% larger than the original — 3 bytes become 4 characters.
If the input is not divisible by 3, padding characters (=) are added at the end. One = means one byte of padding was needed; == means two bytes. This is why base64 strings often end with one or two equals signs.
Base64 encoding vs encryption — the most common misconception
Base64 is not encryption. It is not a security measure. Anyone who sees a base64 string can decode it in seconds using any online tool or one line of code. The string 'SGVsbG8gV29ybGQ=' looks unreadable but it is simply 'Hello World' encoded. If you are storing passwords or sensitive data, you need actual encryption (AES, RSA) — not base64 encoding.
The confusion arises because base64 output looks scrambled and unreadable to humans. But it is completely reversible with zero secret key required.
Where base64 is actually used
Base64 appears in more places than most developers realise:
- Email attachments: MIME encodes binary attachments as base64 so they can travel safely through email servers designed for text.
- Data URLs: Images embedded directly in HTML or CSS use base64 so the page loads without an extra HTTP request. Example: src='data:image/png;base64,...'
- JSON APIs: Binary data (images, audio, certificates) cannot be safely sent as raw bytes in JSON. Base64 converts them to a safe string format.
- HTTP Basic Authentication: Credentials are sent as base64 in the Authorization header (though this is not secure without HTTPS).
- JWT tokens: The header and payload of JSON Web Tokens are base64url encoded (a variant that replaces + with - and / with _ to be URL-safe).
- Cryptographic keys and certificates: PEM files (.pem, .crt, .key) store certificates and private keys in base64 format between header/footer lines.
Base64 variants
Standard base64 uses + and / as characters 62 and 63, with = for padding. This causes problems in URLs because + means 'space' in URL encoding and / is a path separator. Two safer variants exist:
- Base64url: Replaces + with - and / with _ and often omits padding. Used in JWTs and OAuth tokens.
- Base32: Uses only uppercase A–Z and 2–7, avoiding all special characters. Used in TOTP authenticator codes (Google Authenticator, Authy).
If you are decoding a JWT or an authenticator code and standard base64 is not working, try the base64url variant.
FAQ
How much larger is base64 output than the original? Base64 output is approximately 33% larger. Every 3 bytes of input become 4 base64 characters. So a 1 MB image becomes roughly 1.33 MB when base64 encoded. This size overhead is why base64 data URLs can slow down page load times for large images.
How do I decode base64 in JavaScript? Use atob() to decode: atob('SGVsbG8=') returns 'Hello'. Use btoa() to encode: btoa('Hello') returns 'SGVsbG8='. For Node.js, use Buffer.from(str, 'base64').toString('utf8') to decode, and Buffer.from(str).toString('base64') to encode.
What is base64url and how is it different from base64? Base64url replaces + with - and / with _ and removes the = padding. This makes the output safe to use in URLs and HTTP headers without percent-encoding. JWT tokens use base64url for their header and payload sections.
Can base64 encode any type of file? Yes. Base64 works on any binary data — images, PDFs, audio files, executables, or any other file type. It simply converts raw bytes to a text-safe format. The encoded output can then be safely stored in JSON, sent in HTTP headers, or embedded in HTML.
Is a base64 string the same length every time for the same input? Yes. Base64 encoding is deterministic — the same input always produces the same output. There is no randomness or key involved, which is another reason why it is not encryption.
