You've seen it in API tokens, data URIs, email headers, and JWT payloads. That long string of letters, numbers, pluses, and slashes that looks like someone mashed a keyboard — that's Base64. It's everywhere in web development, and understanding how it works clears up a lot of confusion about encoding, encryption, and data transport.
What Base64 Actually Does
Base64 converts binary data into a text-safe representation using 64 printable ASCII characters: A-Z, a-z, 0-9, +, and /. The = sign is used for padding at the end.
Here's the core idea: many systems (email, URLs, JSON, XML) are designed to handle text, not arbitrary binary data. If you try to shove raw bytes into a JSON string, you'll hit null bytes, control characters, and encoding issues. Base64 gives you a safe way to represent any binary data as plain text.
A simple example:
Text: "Hello"
Base64: "SGVsbG8="
Try it yourself with our Base64 Encoder — paste any text and see the encoded result instantly.
How Base64 Encoding Works
The algorithm is straightforward:
- Take the input bytes
- Group them into chunks of 3 bytes (24 bits)
- Split each 24-bit chunk into four 6-bit groups
- Map each 6-bit value (0-63) to one of the 64 characters
- If the input length isn't divisible by 3, pad with
=
Let's trace through "Hi":
Characters: H i
ASCII: 72 105
Binary: 01001000 01101001
Group into 6-bit chunks: 010010 000110 1001xx (pad with zeros)
Map to Base64 alphabet: S, G, k → plus = padding.
Result: SGk=
The padding = tells the decoder "the last group was incomplete." One = means 2 bytes were encoded in the final group; == means only 1 byte.
Why Base64, Not Hex?
Hex encoding (converting each byte to two hex digits) also produces text-safe output. So why do we use Base64?
Efficiency. Hex encoding expands data by 100% — every byte becomes two characters. Base64 only expands by about 33%. For a 1 MB file:
| Encoding | Output Size | |----------|-------------| | Raw binary | 1,000 KB | | Base64 | 1,333 KB | | Hex | 2,000 KB |
When you're embedding images in HTML or sending attachments in email, that 33% vs 100% overhead makes a real difference.
You can compare the outputs yourself: encode the same text with our Base64 Encoder and Hex Encoder to see the size difference.
Common Uses of Base64
Data URIs
Instead of referencing an external image file, you can embed it directly in HTML or CSS:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEU..." />
This eliminates an HTTP request at the cost of larger HTML. It makes sense for small icons and SVGs (under ~2KB), but not for large images — the 33% size increase plus the loss of caching makes it counterproductive.
Email Attachments (MIME)
Email was designed for 7-bit ASCII text. Attaching a PDF, image, or any binary file requires encoding it as text first. MIME (Multipurpose Internet Mail Extensions) uses Base64 for this. When you "attach" a file to an email, your mail client Base64-encodes it behind the scenes.
JWT Tokens
JSON Web Tokens consist of three Base64URL-encoded segments separated by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
Each segment is a Base64-encoded JSON object. The "URL" variant replaces + with - and / with _ to avoid conflicts with URL syntax.
Base64 is encoding, not encryption. Anyone can decode a JWT payload — there's no secret involved in the decoding step. The signature (third segment) provides integrity verification, but the contents are readable by anyone.
API Authentication
Many APIs use Base64 for HTTP Basic Authentication. The username and password are combined as username:password, Base64-encoded, and sent in the Authorization header:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Decode dXNlcm5hbWU6cGFzc3dvcmQ= and you get username:password. Again — this is encoding, not encryption. Always use HTTPS with Basic Auth.
Base64 Is Not Encryption
This is the most common misconception. Base64 provides zero security. It's a reversible encoding scheme, like converting between Celsius and Fahrenheit. Anyone with a decoder (including our Base64 tool) can read the original data.
If you see a "secret" value that's Base64-encoded, it's not protected. Kubernetes secrets, for example, are Base64-encoded by default — this is for transport safety, not confidentiality.
Base64 Variants
The standard Base64 alphabet can cause issues in certain contexts:
Base64URL replaces + with - and / with _. Used in URLs, filenames, and JWTs where the standard characters have special meaning. Padding (=) is often omitted.
MIME Base64 inserts line breaks every 76 characters. Required by the MIME standard for email, but unnecessary (and often unwanted) elsewhere.
Base32 uses 32 characters (A-Z, 2-7) instead of 64. Less efficient (60% overhead) but produces output that's case-insensitive and avoids confusing characters. Used in TOTP codes (Google Authenticator) and some file systems.
Related Encoding Schemes
Base64 isn't the only way to represent binary data as text:
Hexadecimal — uses 0-9 and A-F. Less space-efficient but easier to read and debug. Common in color codes (#FF5733), MAC addresses, and hash outputs. Try our Hex Encoder.
Binary — the raw 0s and 1s. Educational, but impractical for actual data transfer. See it in action with the Binary Converter.
URL encoding — represents unsafe URL characters as percent-encoded values (%20 for space). Different purpose than Base64 but often confused with it. Our URL Encoder handles this.
Try It Yourself
Next time you encounter a mysterious Base64 string in a config file or API response, don't reach for a terminal command you'll have to look up. Just paste it in:
- Base64 Encoder/Decoder — encode and decode Base64 instantly
- Hex Encoder/Decoder — convert between text and hexadecimal
- Binary Converter — see the raw binary representation
All processing happens locally in your browser. Your data stays private.