Base64 Encoding Explained: What It Is and When to Use It

What is Base64?

Base64 is an encoding scheme that converts binary data into a string of ASCII characters. It uses 64 characters — A-Z, a-z, 0-9, and + and / — to represent any binary data. The name "Base64" comes from the 64 printable characters used in the alphabet.

Base64 is not encryption. It is simply a way to represent binary data as text. Anyone can decode a Base64 string without a key. Its purpose is encoding, not security.

Why Does Base64 Exist?

Many protocols and systems were originally designed to handle only text (ASCII). Binary data like images, certificates, and files cannot be safely transmitted through these text-only systems without corruption. Base64 solves this by converting binary data to a safe, printable text format.

Common examples of text-only protocols where Base64 is essential:

Email (SMTP/MIME) — attachments are Base64 encoded
HTTP headers — cannot contain raw binary
JSON payloads — must be valid text strings
HTML/CSS data URIs — embed images directly in code
XML documents — binary must be encoded as text

How Base64 Encoding Works

Base64 converts every 3 bytes (24 bits) of binary data into 4 Base64 characters (6 bits each). This is why Base64 encoded data is approximately 33% larger than the original.

Input:  "Man"
Binary: 01001101 01100001 01101110
Groups: 010011 010110 000101 101110
Index:  19     22     5      46
Output: "TWFu"

If the input is not a multiple of 3 bytes, = padding characters are added to complete the final 4-character block.

Standard Base64 vs URL-safe Base64

	Standard Base64	URL-safe Base64
Characters 62–63	`+` and `/`	`-` and `_`
Padding	`=`	`=` or omitted
Safe in URLs	No — `+` means space, `/` is path separator	Yes
Used in	Email, files, general encoding	JWT, URL parameters, filenames

💡 JWT tokens use URL-safe Base64 (also called Base64URL). The header and payload of a JWT are Base64URL encoded, not encrypted.

Common Use Cases

1. Data URIs (Inline Images)

You can embed images directly in HTML or CSS without a separate file request:

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..." />

2. API Payloads

When sending binary files through a JSON API, Base64 is the standard approach:

{
  "filename": "document.pdf",
  "content": "JVBERi0xLjQKJeLjz9MKMTAgMCBvYmoK..."
}

3. Basic Authentication

HTTP Basic Auth encodes credentials as Base64:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
// Decodes to: username:password

4. SSL/TLS Certificates (PEM format)

PEM certificate files are Base64 encoded DER certificates wrapped with header/footer lines:

-----BEGIN CERTIFICATE-----
MIIDzTCCArWgAwIBAgIQCjeHZIR4...
-----END CERTIFICATE-----

Base64 in Different Languages

# Python
import base64
encoded = base64.b64encode(b"Hello World")  # b'SGVsbG8gV29ybGQ='
decoded = base64.b64decode(b"SGVsbG8gV29ybGQ=")  # b'Hello World'

// JavaScript
const encoded = btoa("Hello World")  // "SGVsbG8gV29ybGQ="
const decoded = atob("SGVsbG8gV29ybGQ=")  // "Hello World"

// Node.js
const encoded = Buffer.from("Hello World").toString("base64")
const decoded = Buffer.from("SGVsbG8gV29ybGQ=", "base64").toString()

⚠️ Base64 is NOT encryption. Never use Base64 to "hide" passwords or sensitive data. It provides zero security — any developer can decode it instantly.