Base64 Encoding Explained — What It Is, How It Works, and When to Use It
Base64 turns binary data into text. Learn exactly how the encoding works, where developers use it daily, and the common mistakes to avoid.
Every developer encounters Base64 eventually — in data URIs, JWT tokens, API responses, or email headers. It looks like random characters, but the encoding is actually simple and deterministic. Understanding how it works helps you debug issues, optimize performance, and avoid common pitfalls.
What is Base64?
Base64 is a binary-to-text encoding scheme that represents binary data using 64 printable ASCII characters: A–Z, a–z, 0–9, +, and /. The = character is used for padding. It was designed to safely transmit binary data through systems that only handle text — like email (MIME), URLs, and JSON.
How the Encoding Works
The algorithm is straightforward: take 3 bytes (24 bits) of input, split them into 4 groups of 6 bits each, and map each 6-bit value to one of the 64 characters. If the input length is not a multiple of 3, the output is padded with = characters.
- Input: 3 bytes → Output: 4 characters (33% size increase)
- "Hi" (2 bytes) → "SGk=" (padded with one =)
- "Hey" (3 bytes) → "SGV5" (no padding needed)
- "Hello" (5 bytes) → "SGVsbG8=" (one padding character)
Base64 is NOT encryption. It is a reversible encoding. Anyone can decode it. Never use Base64 to "hide" passwords, API keys, or sensitive data.
Where Developers Use Base64 Daily
Data URIs in HTML and CSS
Data URIs let you embed files directly in HTML or CSS without a separate HTTP request. This is useful for small icons, SVGs, and fonts. The format is data:[mime-type];base64,[encoded-data]. For example, a tiny 1×1 transparent PNG is only about 100 characters as a data URI — much faster than a separate network request.
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==" alt="pixel" />JWT Tokens
JSON Web Tokens (JWTs) consist of three Base64url-encoded parts: header, payload, and signature. When debugging authentication issues, decoding the payload reveals the token's claims — user ID, expiration time, permissions. Note that JWTs use Base64url encoding (replacing + with - and / with _) to be URL-safe.
Email Attachments (MIME)
Email was designed for 7-bit ASCII text. Binary attachments (images, PDFs, documents) must be encoded to travel through email systems. MIME (Multipurpose Internet Mail Extensions) uses Base64 to encode these attachments. Every email attachment you have ever sent was Base64-encoded behind the scenes.
API Payloads
Some APIs accept or return binary data encoded in Base64 within JSON. For example, the GitHub API returns file contents as Base64-encoded strings. Cloud provider APIs often use Base64 for certificate uploads, configuration data, and binary blobs.
Common Mistakes and Pitfalls
- Using Base64 for large files — The 33% size overhead means a 1 MB image becomes 1.33 MB as Base64. For files over a few KB, use proper file hosting instead.
- Confusing encoding with encryption — Base64 provides zero security. It is trivially reversible. Do not use it to protect sensitive data.
- Forgetting about URL safety — Standard Base64 uses + and / characters that have special meaning in URLs. Use Base64url encoding (btoa replacement in modern APIs) for URL contexts.
- Double-encoding — Encoding already-encoded data creates invalid output. Always decode before re-encoding.
- Ignoring Unicode — The browser's btoa() function only handles Latin-1 characters. For Unicode text (emoji, CJK characters), you need to encode to UTF-8 bytes first.
Base64 in JavaScript: The Right Way
JavaScript provides btoa() and atob() for Base64 encoding and decoding, but they only handle Latin-1 strings. For Unicode support, you need to use TextEncoder/TextDecoder:
// Encode Unicode text to Base64
const bytes = new TextEncoder().encode('Hello 🌍');
const binary = String.fromCharCode(...bytes);
const base64 = btoa(binary);
// Decode Base64 back to Unicode
const raw = atob(base64);
const uint8 = Uint8Array.from(raw, c => c.charCodeAt(0));
const text = new TextDecoder().decode(uint8);
// text === 'Hello 🌍'When NOT to Use Base64
- Large files: The 33% overhead adds up. A 10 MB file becomes 13.3 MB.
- Security: Base64 is not encryption. Use proper encryption (AES, RSA) for sensitive data.
- Production images: Use proper image hosting with CDN. Data URIs bypass browser caching.
- Database storage: Store binary data as BLOB, not as Base64 text strings (wastes 33% more storage).
Privacy
Base64 data often contains sensitive content — authentication tokens, personal images, API payloads. Our Base64 Encoder & Decoder runs entirely in your browser. Your data is never transmitted to any server.
Try our free Base64 Encoder & Decoder — encode text or files, decode Base64 strings, and copy ready-to-use data URIs. 100% private, runs in your browser.
Mahdi Moradi
Full-stack software engineer and founder of Bornara AI, building free privacy-first tools at ZipTools. Based in Calgary, Canada.
Try the tool mentioned in this article.
Open base64 encoderRelated articles
How AI Background Removal Works — The Technology Behind Instant Cutouts
Neural networks can separate foreground from background in seconds. Here's how the technology works, why client-side processing matters, and how to get the best results.
WebP vs AVIF vs PNG vs JPEG — The Ultimate Image Format Guide for 2026
Not sure which image format to use? This guide breaks down WebP, AVIF, PNG, and JPEG — file sizes, quality, transparency, browser support, and when to use each one.
How to Make a WiFi QR Code So Guests Connect Instantly
Stop reading your WiFi password out loud. A single printable QR code lets guests join your network in one scan — here is how to make one in under a minute, free and private.