What Is Base64 Encoding?
Base64 is a binary-to-text encoding scheme that converts binary data (bytes) into a string of printable ASCII characters. It was defined in RFC 4648 and is named after the 64 characters it uses as its alphabet: A–Z (26), a–z (26), 0–9 (10), + and / (2) = 64 characters total, plus = as a padding character.
The fundamental purpose: some systems and protocols can only handle ASCII text, not arbitrary binary data. Base64 bridges this gap by representing binary as text, making it safe to transmit through text-only channels like email headers, HTML attributes, and JSON values.
How Base64 Encoding Works
The encoding algorithm takes 3 bytes (24 bits) of input at a time and converts them into 4 Base64 characters:
- Take the first 3 bytes: for example, "Man" = bytes 77, 97, 110
- Convert to binary: 01001101 01100001 01101110
- Split into 4 groups of 6 bits: 010011 010110 000101 101110
- Convert each 6-bit group to a decimal value: 19, 22, 5, 46
- Look up each value in the Base64 alphabet: T, W, F, u
- Result: "Man" → "TWFu"
If the input length is not a multiple of 3 bytes, the last group is padded with zeros and = signs are appended (one = means 1 byte of padding, two == means 2 bytes of padding).
Why Base64 Strings Are Longer Than the Original
Because 3 bytes become 4 characters, Base64 output is always about 33% larger than the input. A 300 KB image becomes approximately 400 KB as a Base64 string. This overhead is the main trade-off of the format.
Where You Will Encounter Base64 in Web Development
HTTP Basic Authentication
Authorization: Basic dXNlcjpwYXNzd29yZA==The value after "Basic " is the Base64 encoding of "username:password". Decode it and you get the credentials. This is why HTTPS is essential — Base64 is not encryption; the credentials are trivially recoverable.
Data URIs (Inline Images)
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA...">Embedding small images as Base64 data URIs avoids an HTTP round-trip. This is beneficial for critical above-the-fold icons and is commonly used in emails where external image loading may be blocked.
JWT Tokens
JSON Web Tokens consist of three Base64url-encoded parts separated by dots: header.payload.signature. The payload (middle section) contains user claims in Base64url encoding. You can decode the header and payload without a key — only verifying the signature requires the secret.
Environment Variables for Binary Data
TLS certificates, private keys, and other binary files are often Base64-encoded for storage in environment variables (which are text-only). CI/CD platforms like GitHub Actions and Heroku commonly store secrets this way.
Standard Base64 vs. URL-Safe Base64
Standard Base64 uses + and /, which have special meanings in URLs (+ is a space in query strings, / separates URL paths). URL-safe Base64 (RFC 4648 §5) replaces these characters:
+→-(hyphen)/→_(underscore)- Padding = signs are often omitted
JWT tokens use URL-safe Base64 without padding. If you are decoding a JWT and getting errors, ensure you are using URL-safe decoding and padding the string to a multiple of 4 characters first.
What Base64 Is NOT
- It is not encryption. Anyone with a decoder (including this tool) can immediately read the original data. Never encode sensitive information and call it "secured."
- It is not compression. Base64 makes data 33% larger, not smaller. Do not use it expecting a size reduction.
- It is not hashing. Base64 is fully reversible. Cryptographic hashing (SHA-256, bcrypt) is one-way and is what you want for storing passwords.
Encode and Decode Base64 Instantly
Our free Base64 Encoder/Decoder handles standard Base64, URL-safe Base64, and includes an auto-detect mode that identifies whether your input is Base64-encoded or plain text. No signup required — all encoding and decoding happens locally in your browser.