Skip to main content
B
Benrio
← Back to guides
Encoding7 min readMay 2026

Understanding Base64 Encoding

A deep dive into Base64 encoding — how the algorithm works, when to use it for data URIs and APIs, and why it's not encryption.

Base64 is one of those technologies that developers encounter constantly but rarely think deeply about. It appears in data URIs, email attachments, JWT tokens, API responses, and countless other places. Understanding how it works and when to use it will make you a more effective developer.

What Is Base64?

Base64 is a binary-to-text encoding scheme that represents binary data using a set of 64 ASCII characters. It was designed to safely transmit binary data through systems that only support text — such as email protocols (SMTP), URLs, and JSON payloads. The encoding uses the characters A–Z, a–z, 0–9, plus (+), and forward slash (/), with the equals sign (=) used for padding.

The name "Base64" refers to the 64-character alphabet used. Just as Base10 (decimal) uses 10 digits and Base16 (hexadecimal) uses 16 characters, Base64 uses 64 characters to represent data. This makes it more space-efficient than hexadecimal while remaining safely within the ASCII printable character range.

How the Encoding Algorithm Works

The Base64 algorithm processes input data in groups of three bytes (24 bits). These 24 bits are then divided into four groups of 6 bits each. Each 6-bit group maps to one of the 64 characters in the Base64 alphabet. Here's the step-by-step process:

  1. Take three bytes of input (24 bits total)
  2. Split into four 6-bit groups
  3. Map each 6-bit value (0–63) to the corresponding Base64 character
  4. If the input isn't divisible by 3, add padding with = characters

For example, the text "Hi" in ASCII is represented by bytes 72 and 105. In binary: 01001000 01101001. Since we need groups of three bytes, a zero byte is appended. The 24 bits are split into four 6-bit groups, mapped to the Base64 alphabet, and the result is "SGk=" — the trailing = indicates one byte of padding was needed.

The Size Overhead

Because every 3 bytes of input become 4 bytes of output, Base64 encoding increases data size by approximately 33%. A 1 MB file becomes about 1.33 MB when Base64 encoded. This overhead is the tradeoff for text-safe transmission. For small payloads like icons or configuration values, the overhead is negligible. For large files, it can be significant and alternative approaches should be considered.

When to Use Base64

  • Data URIs: Embed small images directly in HTML or CSS with data:image/png;base64,...
  • Email attachments: MIME encoding uses Base64 to attach binary files to text-based email protocols
  • API payloads: Send binary data within JSON responses that only support text
  • JWT tokens: The header and payload sections of JWTs are Base64url encoded
  • Basic authentication: HTTP Basic Auth encodes credentials as Base64 (username:password)
  • Storing binary in text formats: Configuration files, XML documents, or databases that only accept text

When NOT to Use Base64

Base64 is frequently misused. Here are common mistakes:

  • Not encryption: Base64 provides zero security. Anyone can decode it instantly. Never use it to "hide" sensitive data.
  • Not compression: It makes data 33% larger, not smaller.
  • Large files: For images over a few KB, a separate HTTP request is usually better than an inline data URI.
  • When binary transport is available: If your protocol supports binary (like HTTP with multipart/form-data), use that instead.

Base64 Variants

The standard Base64 alphabet uses + and / which are problematic in URLs. Base64url replaces these with - and _ and typically omits padding. This variant is used in JWTs, URL parameters, and filenames. Other variants exist for specific protocols — MIME Base64 adds line breaks every 76 characters for email compatibility.

Common Misconceptions

The biggest misconception about Base64 is that it provides security. Developers sometimes Base64 encode API keys or passwords thinking this obscures them. It does not — Base64 is trivially reversible by anyone. If you need to protect data, use proper encryption (AES, RSA) or hashing (bcrypt, argon2).

Another misconception is that Base64 is slow or computationally expensive. In practice, Base64 encoding and decoding is extremely fast — modern implementations process gigabytes per second. The real cost is the 33% size increase, not CPU time.

Base64 in JavaScript

In browsers, you can use btoa() to encode and atob() to decode Base64 strings. In Node.js, use Buffer.from(data).toString('base64') for encoding and Buffer.from(encoded, 'base64') for decoding. Note that btoa() only handles Latin-1 characters — for Unicode text, you need to encode to UTF-8 bytes first.

Try it yourself:

Base64 Encoder / Decoder