You’ve probably encountered Base64 without realising it — in JWT tokens, HTML data URIs, API authentication headers, or email attachments. It looks like random text (SGVsbG8gV29ybGQ=) and seems mysterious, but the concept behind it is actually quite simple. This guide explains what Base64 encoding is, why it exists, how it works, and where you’ll use it as a developer.

⚠️
Important first note Base64 is encoding, not encryption. Anyone can decode a Base64 string instantly. It provides zero security. Never use Base64 to protect sensitive data — use proper encryption for that.

What is Base64?

Base64 is a way of converting binary data (bytes) into a text format using only 64 "safe" printable ASCII characters. Those characters are: A–Z, a–z, 0–9, plus sign (+), and forward slash (/), with the equals sign (=) used for padding.

The reason it exists is simple: many systems that handle text — email protocols, URLs, JSON fields, HTML attributes — can break or corrupt binary data. Base64 converts that binary data into plain ASCII text that travels safely through any text-based system.

The 64-character alphabet

  • Index 0–25: uppercase letters A through Z
  • Index 26–51: lowercase letters a through z
  • Index 52–61: digits 0 through 9
  • Index 62: plus sign +
  • Index 63: forward slash /
  • Padding: equals sign =

How the Encoding Works

The process isn’t magic — it’s just bit manipulation. Here’s what happens step by step when you Base64-encode the word "Hi":

1

Convert text to bytes

H = 72 in ASCII = 01001000 in binary. i = 105 in ASCII = 01101001 in binary.

2

Regroup into 6-bit chunks

Take the 16 bits of "Hi" — 01001000 01101001 — and regroup into 6-bit groups: 010010 000110 1001xx (padded with zeros). Since 16 bits doesn’t divide evenly into 6-bit groups, we pad to 18 bits: 010010 000110 100100.

3

Map each 6-bit value to a character

010010 = 18 → S. 000110 = 6 → G. 100100 = 36 → k. The fourth character slot needs padding since we only have 3 groups for a 2-byte input. Add =.

4

Result

"Hi" encoded in Base64 is SGk=. The = at the end indicates padding — it tells the decoder that the last group of bits was shorter than a full 6 bits.

💡
The 33% overhead rule Every 3 bytes of input becomes 4 characters of Base64 output. That’s a 33% size increase. A 300 KB image embedded as a Base64 data URI becomes roughly 400 KB. For inlining small icons this is fine; for large images it’s not efficient.

Base64 Variants

VariantSpecial charsPaddingUsed For
Standard Base64+ and /Required =Email attachments, general encoding
Base64URL- and _OptionalJWT tokens, URL parameters, filenames
MIME Base64+ and /Required, line breaks at 76 charsEmail MIME encoding

Real-World Uses in 2026

Embedding images in HTML and CSS

Data URIs let you embed images directly into HTML or CSS without a separate HTTP request. This is useful for small icons or inline SVGs where the overhead of an extra network round-trip outweighs the 33% size increase: <img src="data:image/png;base64,iVBORw...">

HTTP Basic Authentication

The HTTP Basic Auth header sends credentials as Base64: Authorization: Basic dXNlcjpwYXNz. Decoding that gives user:pass. This is why Basic Auth over plain HTTP is completely insecure — anyone intercepting the request can decode it in seconds. Always use HTTPS.

JWT tokens

JSON Web Tokens use Base64URL encoding for both the header and payload sections. The familiar format xxxxx.yyyyy.zzzzz consists of a Base64URL-encoded header, payload, and signature. Decoding the first two parts reveals the token data — another reminder that Base64 is not encryption.

Sending binary data in JSON APIs

JSON only supports text. If an API needs to accept or return binary data (like an image or PDF), the binary is encoded as a Base64 string inside the JSON payload. Modern AI image APIs, for example, often accept images as Base64-encoded strings in the request body.

Encode or Decode Base64 Free

Paste any text or Base64 string and convert instantly in your browser. Nothing uploaded.

🔐 Open Base64 Tool

Quick Code Examples

Here’s how to encode and decode Base64 in the most common languages:

JavaScript (browser or Node.js):

// Encode
const encoded = btoa('Hello World'); // SGVsbG8gV29ybGQ=
// Decode
const decoded = atob('SGVsbG8gV29ybGQ='); // Hello World

Python:

import base64
encoded = base64.b64encode(b'Hello World')  # b'SGVsbG8gV29ybGQ='
decoded = base64.b64decode('SGVsbG8gV29ybGQ=')  # b'Hello World'

PHP:

$encoded = base64_encode('Hello World'); // SGVsbG8gV29ybGQ=
$decoded = base64_decode('SGVsbG8gV29ybGQ='); // Hello World

Frequently Asked Questions

No. Base64 is encoding, not encryption. Anyone can decode a Base64 string in seconds without any key or password. Never use it to protect sensitive data. Use proper encryption algorithms (AES for data at rest, TLS for data in transit) for actual security.

Key Takeaways

Base64 is a practical tool for a specific problem: safely transporting binary data through text-based systems. Understanding it demystifies a lot of things you see as a developer — JWT tokens suddenly make sense, HTTP Basic Auth headers become readable, and data URI images in stylesheets stop looking like magic.

Just remember the three golden rules: Base64 is not encryption, it adds ~33% size overhead, and Base64URL is the version you want for anything that goes in a URL.

Free developer tools:

Share this guide

Related Articles

🔧
What is JSON and How to Format It Online
Dev Guide · 6 min
 🖼️
How to Compress Images for Faster Loading
Web Speed · 7 min
 📱
How to Generate a QR Code for Your Website
Tutorial · 6 min