Base64 Encoding Explained: What It Is and When to Use It
Base64 is one of those topics every developer eventually meets: an image is stored as a huge data:image/png;base64,... URL, a JWT arrives with three chunks separated by dots, an email attachment shows up as ASCII gibberish. This post explains what Base64 actually is, when it earns its keep, and when it's the wrong tool for the job.
The one-sentence definition
Base64 is a way to represent binary data using only 64 printable ASCII characters. Those characters are A–Z, a–z, 0–9, +, and /, with = used for padding.
Why it exists
Lots of systems were designed for text, not raw bytes: SMTP (email), HTTP headers, XML, JSON, URLs. Try to shove a random byte like 0xFE into an email header and you'll get either mangled output or a hard error. Base64 solves this by re-encoding binary as safe text.
The trade-off is size. Every 3 bytes of input become 4 bytes of Base64 output — roughly 33% larger. That's why Base64 is a transport encoding, not a compression format.
How it works, briefly
- Take the input as a stream of bits.
- Group the bits into 6-bit chunks (2⁶ = 64, hence the name).
- Map each 6-bit value to one of the 64 Base64 characters.
- If the input length isn't a multiple of 3 bytes, pad the output with
=so the total length is always a multiple of 4.
That's it. There's no compression, no encryption, no obfuscation — a Base64 string is trivially reversible by anyone with any decoder, including our Base64 tool.
When to use Base64
- Embedding small images in CSS or HTML as data URLs — saves an HTTP request for tiny icons.
- Sending binary in JSON when you can't add a separate multipart upload.
- Signed tokens (JWT). The three JWT segments are Base64URL-encoded JSON.
- Basic Auth headers:
Authorization: Basic <base64(user:pass)>. - Email attachments — this is the original use case.
When NOT to use Base64
- To "hide" secrets. Base64 is not encryption. If someone can read your database, they can decode any Base64 in it in one second.
- For large files. The 33% size overhead crushes throughput. Use multipart uploads or presigned URLs instead.
- As a database primary key. Use UUIDs or plain integers — Base64 IDs are longer and case-sensitive, which surprises URLs and DNS.
Base64 vs Base64URL
Plain Base64 uses + and /, which have special meaning in URLs. Base64URL replaces them with - and _, and drops the padding = characters. JWTs, OAuth tokens, and anything that lands in a query string use Base64URL. If your decoder rejects a JWT with "invalid character", you're probably feeding Base64URL into a plain-Base64 decoder.
Encoding and decoding in every major language
// JavaScript (browser + Node 18+)
btoa("Hello"); // 'SGVsbG8='
atob("SGVsbG8="); // 'Hello'
// Node.js buffer (for binary)
Buffer.from("Hello").toString("base64");
Buffer.from("SGVsbG8=", "base64").toString();
// Python
import base64
base64.b64encode(b"Hello") # b'SGVsbG8='
base64.b64decode("SGVsbG8=") # b'Hello'
// Bash
echo -n "Hello" | base64 # SGVsbG8=
echo "SGVsbG8=" | base64 -d # Hello
Encode or decode right now
Skip the terminal — paste text, files, or images into our Base64 Encoder & Decoder. It runs in your browser, handles UTF-8 correctly, and never uploads your data anywhere.
Keep reading
How to Format JSON in JavaScript (2026 Guide)
Learn every practical way to format, pretty-print, indent, and validate JSON in JavaScript — with copy-paste examples for Node.js and the browser.
How Long Should a Password Be in 2026?
Password length recommendations for 2026 based on modern GPU cracking speeds. Includes a copy-paste rulebook and a free generator.