Base64 Encoding Explained: How It Works and When to Use It
Published March 15, 2025
What is Base64?
Base64 is a binary-to-text encoding scheme that converts arbitrary binary data into a string of printable ASCII characters. It was designed for situations where you need to transmit binary data through channels that only support text — such as email, URLs, or JSON payloads.
The name "Base64" comes from the fact that the encoding uses an alphabet of exactly 64 characters to represent data. Each character encodes 6 bits of information (26 = 64), compared to the 8 bits in a standard byte. This means Base64-encoded data is about 33% larger than the original binary — a reasonable trade-off for safe text transport.
The Base64 alphabet
The standard Base64 alphabet (defined in RFC 4648) consists of 64 characters plus a padding character:
| Index Range | Characters | Count |
|---|---|---|
0–25 | A–Z | 26 |
26–51 | a–z | 26 |
52–61 | 0–9 | 10 |
62 | + | 1 |
63 | / | 1 |
| Padding | = | — |
A URL-safe variant (Base64url) replaces + with - and / with _ to avoid conflicts with URL-reserved characters.
How encoding works
The encoding process follows three steps:
- Group bytes into triplets — Take the input and read it 3 bytes (24 bits) at a time.
- Split into 6-bit groups — Divide each 24-bit triplet into four groups of 6 bits. Each 6-bit value is a number between 0 and 63.
- Map to characters — Look up each 6-bit value in the Base64 alphabet to produce four output characters.
If the input length is not a multiple of 3 bytes, the final group is padded with zero bits and the output is padded with one or two = characters to signal that the last group was incomplete.
A step-by-step example
Let's encode the string "Hi" into Base64. The ASCII values of the characters are:
H= 72 =01001000i= 105 =01101001
We only have 2 bytes (16 bits), so we pad with 8 zero bits to make a full 24-bit group:
01001000 01101001 00000000
Now split into four 6-bit groups:
| 6-bit Group | Decimal | Base64 Character |
|---|---|---|
010010 | 18 | S |
000110 | 6 | G |
100100 | 36 | k |
000000 | 0 (padding) | = |
The result is SGk=. The trailing = tells the decoder that the last 6-bit group was padding, so only 2 of the original 3 bytes carry real data.
Common use cases
- Data URIs — Embed images directly in HTML or CSS with
data:image/png;base64,iVBOR.... This eliminates an extra HTTP request at the cost of a larger payload. - Email attachments (MIME) — SMTP was designed for 7-bit ASCII text. MIME uses Base64 to encode binary attachments so they can travel safely through email servers.
- JSON Web Tokens (JWT) — JWTs use Base64url encoding for the header and payload segments, allowing them to be safely included in URLs and HTTP headers.
- Embedding binary in XML/JSON — These text-based formats have no native way to carry binary data. Base64 lets you include images, certificates, or encrypted blobs as string values.
Encoding in JavaScript
Browsers provide two built-in functions for Base64:
btoa(string)— encodes a binary string to Base64. Only works with Latin-1 characters. For Unicode strings, you need to encode to UTF-8 first:btoa(unescape(encodeURIComponent(str))).atob(string)— decodes a Base64 string back to binary.
In Node.js, the Buffer class handles Base64 natively:
- Encode:
Buffer.from('Hi').toString('base64')returns"SGk=" - Decode:
Buffer.from('SGk=', 'base64').toString()returns"Hi"
Encoding in Python
Python's standard library includes the base64 module:
- Encode:
base64.b64encode(b'Hi')returnsb'SGk=' - Decode:
base64.b64decode(b'SGk=')returnsb'Hi'
Note that Python's Base64 functions work with bytes objects, not strings. If you have a string, encode it to bytes first: 'Hi'.encode('utf-8'). For URL-safe encoding, use base64.urlsafe_b64encode() and base64.urlsafe_b64decode().
Base64 is not encryption
This is a common misconception worth emphasizing: Base64 is an encoding, not encryption. It provides zero security. Anyone who sees a Base64 string can decode it instantly — there is no key, no secret, and no computational difficulty involved.
You may encounter Base64-encoded values in configuration files, API tokens, or database fields and assume they are "encrypted." They are not. Base64 is simply a way to represent binary data as text. If you need to protect sensitive data, use proper encryption (AES, RSA, etc.) and then optionally Base64-encode the encrypted output for safe transport.
A quick way to verify: if you can decode the value by pasting it into any free online Base64 decoder, it is not encrypted.