Base64 Encoding Explained: How It Works and When to Use It
A developer's guide to Base64 encoding. Learn the algorithm, see real examples, understand when to use it (and when not to), and avoid common mistakes.
Try it now - free
Use BriskTool's free tool for this task
Base64 encoding is everywhere in web development — in data URIs, API authentication, email attachments, and JWT tokens. Despite being fundamental, many developers use it without fully understanding how it works or when it is (and is not) appropriate.
The Base64 Algorithm Step by Step
Base64 converts binary data to text using a 64-character alphabet: A-Z, a-z, 0-9, +, and /. Here is how encoding works:
- Convert input to binary: Each byte becomes 8 bits. "Hi" = 01001000 01101001
- Split into 6-bit groups: 010010 000110 100100 (pad with zeros if needed)
- Map each 6-bit value to a character: 18=S, 6=G, 36=k
- Add padding: If the input bytes are not a multiple of 3, add = signs (one or two)
Result: "Hi" encodes to "SGk="
The Base64 Alphabet
| Values | Characters |
|---|---|
| 0-25 | A-Z |
| 26-51 | a-z |
| 52-61 | 0-9 |
| 62 | + (or - in URL-safe variant) |
| 63 | / (or _ in URL-safe variant) |
| Padding | = |
Real-World Use Cases
Data URIs (Inline Images)
Instead of linking to an external image file, you can embed it directly in HTML or CSS:
<img src="data:image/png;base64,iVBORw0KGgo..." />
This eliminates an HTTP request, which can improve performance for small images (under 5 KB). For larger images, separate files are more efficient because they can be cached independently.
HTTP Basic Authentication
The HTTP Basic Auth scheme sends credentials as Base64(username:password) in the Authorization header. Important: this is encoding, not encryption. Without HTTPS, credentials are effectively sent in plain text. Always use Basic Auth only over HTTPS.
JSON Web Tokens (JWT)
JWTs consist of three Base64url-encoded parts separated by dots: header.payload.signature. The header and payload are readable by anyone — the signature provides integrity verification, not confidentiality.
Email Attachments (MIME)
Email was designed for 7-bit ASCII text. Binary attachments (images, PDFs) must be Base64-encoded to travel through email systems. The MIME standard specifies Base64 encoding with line breaks every 76 characters.
Common Mistakes
Using Base64 for "Security"
Base64 is NOT encryption. It is trivially reversible. Do not use it to hide passwords, API keys, or sensitive data. For actual security, use AES-256 encryption, bcrypt/argon2 for passwords, and TLS for data in transit.
Base64-Encoding Large Files
Base64 increases data size by 33%. A 10 MB image becomes 13.3 MB. For large files, use binary transfer methods (multipart/form-data, binary websockets, or direct file upload). Base64 is best for small payloads.
Forgetting URL-Safe Encoding
Standard Base64 uses + and / characters, which have special meaning in URLs. When embedding Base64 data in URLs or filenames, use the URL-safe variant that replaces + with - and / with _.
Base64 in Every Language
| Language | Encode | Decode |
|---|---|---|
| JavaScript | btoa(str) | atob(str) |
| Python | base64.b64encode() | base64.b64decode() |
| Java | Base64.getEncoder().encode() | Base64.getDecoder().decode() |
| Go | base64.StdEncoding.EncodeToString() | base64.StdEncoding.DecodeString() |
| PHP | base64_encode() | base64_decode() |
Try our Base64 encoder/decoder to encode or decode strings and files instantly in your browser.