What Is Base64 Encoding and How Does It Work?
Base64 encoding is everywhere — JWTs, data URIs, email attachments, OAuth tokens — but its mechanics are rarely explained clearly. This guide covers why Base64 was invented, exactly how the encoding works, and when (and when not) to use it.
Why Base64 Was Invented
In the early days of email (SMTP, 1982), the protocol was designed to carry 7-bit ASCII text only. Binary attachments — images, executables, compressed files — contain arbitrary byte values including control characters and bytes with the high bit set, which SMTP relays would mangle or strip.
Base64 was created to solve this problem: it maps arbitrary binary data to a safe subset of 64 printable ASCII characters that survive transit through any text-based protocol. The name comes directly from the character set size — 64 characters, each representing 6 bits.
MIME (1992) standardised Base64 as the encoding for email attachments, and from there it spread to every protocol that needed to embed binary data in text: HTTP headers, HTML, CSS, JSON, XML, JWTs, and URLs.
How the Encoding Works: 3 Bytes → 4 Characters
Base64 operates on 3-byte groups (24 bits at a time):
- Take 3 bytes of input (24 bits).
- Split them into four 6-bit groups.
- Map each 6-bit group to one of 64 printable characters using the Base64 alphabet.
Example: encoding the ASCII string Man:
Text: M a n
ASCII: 77 97 110
Binary: 01001101 01100001 01101110
↓ split into 4 × 6-bit groups ↓
010011 010110 000101 101110
19 22 5 46
T W F u
Base64: TWFuThe three-byte input Man produces the four-character output TWFu. This 4/3 ratio is where the ~33% size overhead comes from.
The Base64 Alphabet
The 64 characters are: A–Z (values 0–25), a–z (26–51), 0–9 (52–61), + (62), and / (63). Padding uses =.
These 64 characters were chosen because they are present in every ASCII-compatible character set and are safe to transmit through any text-based protocol.
Standard vs URL-Safe Base64
The + and / characters in standard Base64 cause problems in URLs: + means space in HTML form encoding, and / is a path separator. Embedding a standard Base64 string in a URL without percent-encoding it breaks parsers.
Base64url (URL-safe Base64) solves this by substituting:
+→-/→_- Padding (
=) is typically omitted
Base64url is used in JWTs (the header and payload sections), OAuth 2.0 PKCE code challenges, and anywhere an encoded value appears directly in a URL or filename.
Real-World Uses
Data URIs
Images, fonts, and other binary assets can be embedded directly in HTML or CSS as Base64-encoded data URIs:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..." />This eliminates an HTTP request but increases the page weight by ~33%.
JWTs (JSON Web Tokens)
A JWT is three Base64url-encoded strings joined by dots: header.payload.signature. The header and payload are JSON objects encoded as Base64url (not encrypted — anyone can decode them). Only the signature verifies authenticity.
MIME Email Attachments
Email attachments are Base64-encoded in the MIME envelope so binary files (PDFs, images, executables) can be sent through SMTP, which only handles 7-bit ASCII reliably.
HTTP Basic Authentication
The Authorization: Basic ... header encodes username:password in standard Base64. This is not encryption — anyone who intercepts the header can decode it instantly. Always use HTTPS with Basic Auth.
When NOT to Use Base64
- For security. Base64 is encoding, not encryption. Never use it to obscure sensitive data.
- For large binary transfers. The 33% size overhead makes Base64 inefficient for large files. Send binary data as
multipart/form-dataor via a binary protocol instead. - When the receiver expects binary. If an API endpoint accepts binary blobs directly (most modern REST APIs do via
application/octet-stream), Base64 adds unnecessary overhead.
Encode and Decode Base64 Online
Need to quickly encode or decode a Base64 string without writing code? The Base64 tool on DevEssentials handles text encoding, file encoding, and URL-safe Base64 — all client-side, no data sent to any server.
Ready to encode or decode? Open the Base64 Encoder/Decoder →
Frequently Asked Questions
Does Base64 encoding encrypt data?▾
No. Base64 is encoding, not encryption. It is a lossless, reversible transformation with no secret key involved. Anyone who sees a Base64 string can decode it instantly with any Base64 decoder.
Do not use Base64 to hide sensitive data. If you need confidentiality, use actual encryption (AES-256-GCM, TLS). Base64 only solves the problem of representing binary data as printable text — it provides zero security.
Why does Base64 output end with = or ==?▾
Base64 works in 3-byte (24-bit) chunks, producing 4 output characters per chunk. When the input length is not a multiple of 3, padding characters (=) are appended to make the output length a multiple of 4.
If the input has 1 leftover byte after the last full chunk, two = characters are added. If there are 2 leftover bytes, one = is added. Inputs that are already a multiple of 3 bytes produce no padding at all.
What is the difference between Base64 and Base64url?▾
Standard Base64 uses + and / as its 62nd and 63rd characters, and = for padding. These characters have special meaning in URLs: + means space in form encoding, / is a path separator, and = appears in query strings. Embedding standard Base64 directly in a URL breaks parsers.
Base64url (URL-safe Base64) replaces + with - and / with _, and typically omits the = padding. It is used in JWTs, OAuth 2.0 PKCE, and any context where the encoded string appears directly in a URL or filename.
How much does Base64 increase file size?▾
Base64 encodes every 3 bytes as 4 characters, which means the output is always approximately 33% larger than the input. A 1 MB file becomes about 1.37 MB when Base64-encoded.
This size increase is the main reason not to use Base64 indiscriminately. For large binary files, it's better to send the raw binary via multipart/form-data or a dedicated binary protocol rather than Base64-encoding the entire payload.
When should I use Base64 vs hex encoding?▾
Base64 is more space-efficient: it encodes 6 bits per character vs hex's 4 bits per character. A 16-byte value (e.g. an MD5 hash) is 32 hex characters but only 24 Base64 characters (22 without padding).
Hex is easier to read and debug — each hex pair directly corresponds to one byte, and the relationship is obvious. Use hex for checksums, hash digests, and values that developers need to inspect by eye. Use Base64 when embedding binary in JSON, HTML, CSS, email, or URLs where space matters and human readability is less important.