📅 Published June 5, 2025✍ Tasbeeh Ullah📅 Last Updated: June 2026⏱ 11 min read
Base64 Encoding Explained: What It Is, How It Works, and When to Use It
TU
Tasbeeh Ullah
Founder & Developer, ToolVerse AI
Tasbeeh Ullah is the founder and developer of ToolVerse AI, where he personally builds, tests, and writes about every tool and guide on the platform. He has spent years developing browser-based web utilities and writing about productivity software and developer tooling, combining hands-on technical knowledge with a commitment to clear, practical content. He personally tests every tool he writes about before publishing.
✓ Reviewed & fact-checked by Tasbeeh Ullah, ToolVerse AI · Last updated June 2026
Base64 Encoding Explained illustrated guide — ToolVerse AI
You've probably seen Base64 if you've ever inspected an HTTP request, looked at an email's raw source, or worked with a web API that handles file uploads. Strings like SGVsbG8gV29ybGQ= are Base64-encoded text, and they appear everywhere in web development without many developers stopping to understand what they actually are and why they exist.
This guide explains Base64 from the ground up — the actual algorithm, why it was invented, where it's used today, and the critical distinction between encoding and encryption.
Step-by-step walkthrough of how Base64 encoding converts binary data to text
What Base64 Is (and Isn't)
Base64 is an encoding scheme, not an encryption scheme. This distinction is critical:
Encoding transforms data from one representation to another. It's reversible with no key required. Anyone who knows it's Base64 can decode it instantly.
Encryption transforms data in a way that requires a secret key to reverse. Without the key, the data cannot be decoded.
Base64 provides zero security. A Base64-encoded string is just as readable to anyone who spots it as the original data — they just need to recognise it and run it through a decoder. Never use Base64 for sensitive data you want to keep private.
Four major real-world applications where Base64 encoding is used daily
Why Base64 Was Invented
Binary data — images, audio files, executable programs — contains all 256 possible byte values (0–255). Many communication protocols and text systems were designed to handle only a subset of these: printable ASCII characters (32–126). Systems like email (SMTP), URL parameters, and early HTTP headers were designed for text and didn't handle arbitrary binary bytes.
Base64 solves this by converting any binary data into a string of only 64 "safe" ASCII characters: A–Z, a–z, 0–9, + and /. This makes binary data safe to transmit through any system that handles text, even systems that might mangle or drop certain byte values.
Base64 adds exactly 33% overhead to file size due to its 3-to-4 byte conversion ratio
How the Base64 Algorithm Works
The algorithm takes binary input 3 bytes at a time (24 bits) and converts them to 4 Base64 characters (6 bits each). Since 3 bytes = 24 bits and 4 × 6 bits = 24 bits, the math works out perfectly.
Step-by-step encoding of "Hi"
"H" = ASCII 72 = binary 01001000
"i" = ASCII 105 = binary 01101001
Together: 0100 1000 0110 1001 (only 2 bytes, so a null byte is padded)
Split into 6-bit groups: 010010 000110 100100 (need padding for the 4th group)
Map each 6-bit group to a Base64 character using the index table: S, G, k... plus a = padding character
Result: SGk=
The = padding characters at the end indicate that the original data wasn't a multiple of 3 bytes.
The Size Overhead
Base64 encoding increases data size by approximately 33%. Every 3 bytes of input becomes 4 Base64 characters. For a 1 MB image, the Base64-encoded version is approximately 1.37 MB. This overhead is a real cost and is one reason to use Base64 selectively rather than universally.
Where Base64 Is Actually Used
1. Embedding Images in HTML and CSS
Instead of referencing an external image file that requires an HTTP request, you can embed the image data directly in HTML or CSS as a Base64 data URI:
This is useful for small icons and images where eliminating HTTP requests outweighs the encoding overhead. For larger images, the 33% size increase and inability to cache the image separately makes external references better.
2. Email Attachments (MIME Encoding)
The MIME (Multipurpose Internet Mail Extensions) standard that enables email attachments uses Base64 to encode binary file data for transmission through email protocols designed for text. When you send a PDF as an email attachment, your email client Base64-encodes it; the recipient's client decodes it. This is transparent to users but happens with every attachment you've ever sent.
3. HTTP Basic Authentication
The HTTP Basic Auth scheme encodes credentials in the Authorization header:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
Decoding dXNlcm5hbWU6cGFzc3dvcmQ= gives "username:password". This is plaintext over HTTP — only secure over HTTPS, and even then, Basic Auth has better modern alternatives (OAuth, JWT, API keys).
4. JSON API Payloads
JSON is a text format and doesn't support binary data. When APIs need to include binary data (images, files, audio) within a JSON response, they Base64-encode it:
JWT tokens — used for API authentication in most modern web applications — consist of three Base64URL-encoded sections separated by dots: header.payload.signature. The header and payload are just JSON objects encoded in Base64URL (a variant of Base64 that replaces + and / with - and _ to make the token URL-safe). You can decode the header and payload of any JWT without a key — they're not encrypted, just encoded. The signature is what verifies integrity.
6. Storing Binary Data in Databases
Some database fields are typed as text (VARCHAR, TEXT) but need to store binary data. Base64 encoding lets binary data be stored in text columns. This is generally an antipattern — dedicated BLOB/BYTEA columns handle binary better — but you'll encounter it in legacy systems.
URL-Safe Base64 (Base64URL)
Standard Base64 uses + and / characters which have special meanings in URLs. Base64URL is a variant defined in RFC 4648, the IETF specification for Base64 encoding, that replaces + with - and / with _, making the encoded string safe for use in URLs and file names without percent-encoding. JWT tokens use Base64URL. When working with URL parameters or file names, prefer Base64URL.
// Encode
btoa("Hello World") // Returns "SGVsbG8gV29ybGQ="
// Decode
atob("SGVsbG8gV29ybGQ=") // Returns "Hello World"
// For binary data / files, use the FileReader API or TextEncoder
Note: btoa() and atob() only handle ASCII characters. For Unicode strings (characters outside the ASCII range), you need to encode the string as UTF-8 bytes first.
Common Mistakes with Base64
Using Base64 for security. Base64 provides no confidentiality. Anyone who sees Base64-encoded data can decode it in seconds. Use proper encryption (AES, RSA) for data you want to keep private.
Encoding large images inline. The 33% size overhead and inability to cache Base64-embedded images separately from the HTML/CSS file makes this approach inefficient for anything beyond small icons.
Forgetting the data URI prefix. When embedding images, the full format is data:image/png;base64, — not just the raw Base64 string.
Using standard Base64 where URL-safe Base64 is needed. The + and / characters in standard Base64 will be percent-encoded in URLs, breaking the string. Use Base64URL for URL contexts.
Frequently Asked Questions
Is Base64 the same as encryption?
No. Base64 is encoding, not encryption. It transforms data into a different representation but provides no security — anyone can decode it without any key. Encryption (like AES or RSA) transforms data in a way that requires a secret key to reverse. Never use Base64 to protect sensitive information.
Why does Base64 end with = or ==?
Base64 processes input in 3-byte groups. If the input isn't a multiple of 3 bytes, padding is added: one = if there was one leftover byte, two == if there were two leftover bytes. This padding ensures the encoded length is always a multiple of 4 characters. Some Base64 variants omit the padding (Base64URL often does), which is fine as long as the decoder knows to expect no padding.
How do I spot Base64 in the wild?
Base64 strings contain only letters (uppercase and lowercase), digits, + and / (or - and _ in URL-safe variant), and possibly trailing = signs. The length is always a multiple of 4. They often appear in HTTP headers, JWT tokens, email source code, and API responses. Online Base64 decoders (including the ToolVerse AI tool) can quickly confirm whether a suspicious string is Base64.
We use cookies to improve your experience and for analytics. By clicking Accept, you consent to our use of cookies as described in our Privacy Policy. You may Decline non-essential cookies.