What Is Base64

Base64 is an encoding scheme that represents binary data as ASCII text. It maps 3 bytes (24 bits) of input into 4 printable characters using an alphabet of 64 characters: uppercase A-Z, lowercase a-z, digits 0-9, plus (+), and forward slash (/).

Important: Base64 is encoding, not encryption. It transforms data into a different format but provides no security. Anyone can decode Base64 instantly with a simple tool.

Why Does Base64 Exist

Binary data often needs to travel through systems that only safely handle text. Base64 solves this problem by converting binary into readable ASCII.

You encounter Base64 in:

  • Email (MIME): Attachments are Base64-encoded before sending
  • JSON: Binary data embedded in JSON payloads
  • HTTP headers: Basic authentication credentials
  • Data URIs: Embedding images directly in HTML/CSS
  • JWT tokens: The payload segment uses Base64url
  • PEM certificates: X.509 certs are Base64-wrapped

How Base64 Works Mechanically

The encoding process converts input bytes into 6-bit groups, then maps each group to a character in the Base64 alphabet.

The Base64 Alphabet:

A-Z (0-25)
a-z (26-51)
0-9 (52-61)
+ (62)
/ (63)
= (padding)

Step-by-step example: Encoding "Man"

Input: M, a, n

ASCII values: M=77, a=97, n=110

Binary (8 bits each):

M: 01001101
a: 01100001
n: 01101110

Group into 6-bit chunks:

010011 010110 000101 101110

Decimal values: 19, 22, 5, 46

Base64 alphabet lookup:

19 = T
22 = W
5  = F
46 = u

Result: TWFu

Padding with the Equals Sign

Input isn't always a multiple of 3 bytes. Padding ensures output length is always a multiple of 4:

  • Input ends with 2 bytes: Add 1 equals sign (e.g., "dG8=")
  • Input ends with 1 byte: Add 2 equals signs (e.g., "YQ==")
  • Input is exact multiple of 3: No padding needed

Example: "Ma" encodes to "TWE=" (one byte short, so one padding character).

Base64url: The URL-Safe Variant

Standard Base64 uses + and / which conflict with URL syntax. Base64url replaces them:

  • + becomes - (hyphen)
  • / becomes _ (underscore)

Base64url is the standard for:

  • JWT tokens: Both the header and payload segments
  • OAuth 2.0: Code challenge in PKCE flows
  • URL parameters: Embedding data in query strings

Many Base64url implementations also omit padding, so you'll see JWTs without trailing = signs.

Where You Encounter Base64

JWT (JSON Web Tokens)

JWTs have three segments separated by periods: header.payload.signature. Each segment is Base64url-encoded.

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0.signature

HTTP Basic Authentication

Credentials are Base64-encoded and sent in the Authorization header:

Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Decoded: username:password

Data URIs

Embed images directly in HTML/CSS without separate file requests:

<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUA...">

PEM Certificates

X.509 certificates wrap Base64 data between BEGIN/END markers:

-----BEGIN CERTIFICATE-----
MIIDXTCCAkWgAwIBAgIJAI...
-----END CERTIFICATE-----

Email MIME Encoding

File attachments are Base64-encoded before transmission over SMTP.

Base64 Is NOT Encryption

Critical security point: Base64 is completely transparent to anyone with a decoder. Never use it to "hide" sensitive data. Always use proper encryption (AES, TLS) for actual security.

If you see sensitive data Base64-encoded, assume it's been exposed.

Character Encoding: UTF-8 and Base64

Base64 works on bytes, not characters. Non-ASCII characters (emoji, accented letters) need UTF-8 encoding first.

In JavaScript, btoa() only accepts single-byte characters. For multi-byte UTF-8:

// Wrong: btoa("café") throws error
// Right: btoa(encodeURIComponent("café"))
// Result: Y2Fmw6k=

Always UTF-8 encode text before Base64 encoding non-ASCII content.

Size Overhead

Base64 expands data by approximately 33%. The formula:

Base64 size = (input size / 3) × 4
= input size × 1.33

A 1 MB file becomes ~1.33 MB when Base64-encoded. This matters for data URIs and email attachments.

Base64 in authentication and tokens

Base64url encoding — the URL-safe variant — is the encoding used throughout JSON Web Tokens (JWTs). A JWT consists of three Base64url-encoded segments separated by dots: the header, the payload, and the signature. Each segment can be decoded independently without any key or secret. The header and payload are plain JSON objects — decoding them reveals the algorithm, token type, and all claims including expiry, issuer, and subject.

This is worth emphasizing: Base64 encoding provides zero confidentiality. A JWT's header and payload are readable by anyone who has the token. The signature verifies integrity (that the token was not tampered with), but it does not conceal the claims. If you need to hide claim data from the token holder, you need JWE (JSON Web Encryption), not JWS (JSON Web Signature, which is what most JWTs use).

The practical consequence: never put sensitive data — passwords, PII, internal system details — in a JWT payload that is delivered to a client, even if the JWT is signed. The client can decode and read those claims. Sign the token to prevent tampering; use encryption if you need confidentiality.

Base64 in HTTP and web protocols

HTTP Basic Authentication: The Authorization header for Basic auth encodes credentials as Base64(username:password). The encoded value is not encrypted — it is trivially decodable. Basic auth only provides confidentiality when used over HTTPS, which encrypts the entire HTTP request including headers. Over plain HTTP, the credentials are visible to any observer on the network path.

Data URIs: A data URI embeds file content directly in an HTML or CSS document using the format data:[mediatype];base64,[encoded-content]. Data URIs are commonly used for small images (icons, logos) to avoid an extra HTTP request. Base64 encoding is required because the URI must be a text string — binary image bytes cannot appear directly in HTML. The 33% size overhead is the trade-off for eliminating the additional request.

Multipart email (MIME): Email was originally designed for ASCII text. MIME (Multipurpose Internet Mail Extensions) defines how to attach binary content — images, PDFs, executables — by Base64-encoding the binary and including it as a text segment in the message body. This is why email clients can receive attachments without the underlying mail transport protocol understanding binary data.

Binary-to-text in APIs: Some APIs accept or return binary data (cryptographic keys, certificates, file content, audio samples) as Base64-encoded strings because their transport format — JSON, XML, query parameters — is text-only. When you see a field in an API response described as "base64-encoded", that is what is happening: binary data serialized as text for a text-based transport.

Common Base64 mistakes

Treating encoding as encryption: Base64 is not a security mechanism. It is reversible without any key. Code that "encodes" a password or secret in Base64 before storing or transmitting it provides no protection — any developer who reads the code or sees the value can reverse it in seconds. Use proper encryption (AES-GCM) or hashing (bcrypt, Argon2) for secrets.

Mixing standard and URL-safe alphabets: Standard Base64 uses + and /; Base64url uses - and _. If you take a JWT segment (Base64url) and pass it to a decoder expecting standard Base64, or vice versa, you will get incorrect output or a decoding error. Always know which alphabet applies for the context you are working in.

Padding errors: Standard Base64 uses = padding characters to make the output length a multiple of 4. Base64url often omits padding. When passing Base64url-encoded data to a library expecting padded standard Base64, you may need to re-add padding: compute (4 - len % 4) % 4 and append that many = characters.

Related Tools

Try it yourself:

  • Base64 Encoder/Decoder — encode and decode Base64 and Base64url strings instantly in your browser
  • JWT Decoder — decode all three Base64url-encoded JWT segments and inspect claims without sending the token anywhere
  • Secure Paste — client-side AES-GCM encryption that uses Base64url encoding for the URL fragment payload

Learn More