Base64 Encoding Explained: What It Is and When to Use It
Base64 converts binary data to ASCII text, enabling it to be transmitted in text-only environments like email, JSON, and HTML. Here's how it works and when to use it.
Advertisement
Base64 is an encoding scheme that converts binary data into a sequence of ASCII characters — the 64 characters that are safe in virtually every text-based system. It was not designed for security or compression; it increases data size by approximately 33%. Its purpose is transmissibility: getting binary data safely through systems designed only for text.
What Is Base64?
The 64 characters used in standard Base64 are: A-Z (26), a-z (26), 0-9 (10), + and /. These are characters that existed in all early character sets and were safe in SMTP email, HTTP headers, URLs, XML, and HTML. The = character is used as padding to make the output length a multiple of 4 characters.
How Base64 Encoding Works
- Take the input bytes (binary data or UTF-8 text)
- Group bytes into 3-byte (24-bit) chunks
- Split each 24-bit chunk into four 6-bit groups
- Map each 6-bit group to one of the 64 Base64 characters
- Add '=' padding if the last chunk has fewer than 3 bytes
- Result: every 3 bytes of input becomes 4 ASCII characters
33% size overhead
Base64 encoding increases data size by approximately 33% — 3 bytes become 4 characters. This is why you should only use Base64 for embedding small resources (icons, fonts under 10 KB) in data URIs. Larger resources are better served as separate HTTP requests.
Common Use Cases
- HTTP Basic Authentication — credentials encoded as Base64 in Authorization headers
- Email attachments — MIME standard requires Base64 encoding of binary attachments
- Data URIs — embedding small images, fonts, or SVGs directly in HTML/CSS
- JSON payloads — transmitting binary data (images, files) in JSON REST APIs
- JWT tokens — the header and payload of a JSON Web Token are Base64URL-encoded
- Cryptographic key exchange — keys and certificates are often transmitted as Base64 PEM blocks
URL-Safe Base64
Standard Base64 uses + and / characters, which have special meaning in URLs. URL-safe Base64 (also called Base64URL) replaces + with - and / with _, making the output safe to include directly in URLs and filenames without percent-encoding. JWT tokens use Base64URL. When using Base64-encoded data in query parameters or file names, always use the URL-safe variant.
Data URIs: Embedding Images in CSS/HTML
A data URI embeds a resource directly in an HTML/CSS document using the format: data:[mediatype];base64,[data]. For example: <img src='data:image/png;base64,iVBORw0KGgo...'/>. This eliminates one HTTP request but increases HTML/CSS file size. Use for small resources (icons, sprites under 5 KB) to reduce HTTP requests; avoid for anything larger.
Encode or decode Base64 free
Encode text and files to Base64, or decode Base64 strings back to text.
Frequently Asked Questions
Is Base64 a form of encryption?
No. Base64 is encoding, not encryption. Encoded data is trivially decodable by anyone — it provides zero security. Never use Base64 to 'protect' sensitive data. Use proper encryption (AES-256) for data that must be kept confidential.
Why do JWT tokens use Base64?
JWT tokens consist of three Base64URL-encoded parts separated by dots. The header and payload are Base64URL-encoded (not encrypted) to make them URL-safe and compact for use in Authorization headers and URL query parameters. The third part (signature) verifies the token hasn't been tampered with — but the payload is readable by anyone with the token.
How do I convert a file to Base64?
Upload the file to our Base64 Encoder tool and it converts it to a Base64 data URI. Alternatively, in JavaScript use FileReader.readAsDataURL() for browser-side conversion, or Buffer.from(data).toString('base64') in Node.js.