Base64 Encoding Explained: What It Is and When to Use It

Base64 is one of those things that appears constantly in web development without anyone stopping to explain what it actually is. You see it in JWT tokens, email headers, CSS data URIs, and API credentials. Here's the complete picture.

What Base64 Actually Does

Base64 is an encoding scheme, not encryption. It converts arbitrary binary data into a string made up of only 64 printable ASCII characters: A–Z, a–z, 0–9, +, and / (with = for padding).

The reason this exists is historical: many systems that were designed to handle text — email protocols, HTTP headers, XML, HTML attributes — would corrupt or misinterpret raw binary data. Base64 sidesteps the problem by converting binary to a safe character set that survives transport through any text-based system.

How It Works

Base64 takes every 3 bytes of input (24 bits) and splits them into 4 groups of 6 bits each. Each 6-bit group maps to one of the 64 printable characters. This is where the name comes from: 2⁶ = 64 possible values per character.

The side effect is a 33% size increase. Three bytes in becomes four characters out. For small values like API keys this is irrelevant, but for large binary files it's worth noting.

Common Use Cases

• JWTs (JSON Web Tokens) — the header and payload sections of a JWT are Base64url encoded (a variant that uses - and _ instead of + and / to be URL-safe)
• Data URIs in CSS/HTML — embedding small images or fonts directly in a stylesheet as data:image/png;base64,... eliminates an extra HTTP request
• Email attachments — the MIME standard uses Base64 to send binary files (images, PDFs) through email servers designed for text
• Basic Auth headers — HTTP Basic Authentication sends credentials as Base64(username:password) in the Authorization header
• API keys and secrets — random bytes from a cryptographic source are often Base64 encoded for readability when stored or transmitted

What Base64 Is Not

Base64 is not encryption and provides no security. Anyone can decode it in seconds. Never use Base64 to "hide" sensitive data — use proper encryption for that. The confusion is common because encoded strings look scrambled, but decoding them requires no key and no special knowledge.

Similarly, Base64 isn't compression. The output is always larger than the input.

URL-Safe Base64

Standard Base64 uses + and /, which have special meanings in URLs. URL-safe Base64 (Base64url) replaces them with - and _ so the encoded value can appear in query strings and path segments without percent-encoding. You'll see this in JWTs and OAuth tokens.

Need to encode or decode Base64 right now? Try our Base64 Encoder/Decoder — works in your browser, nothing is sent to a server.