Base64 Encoding Explained: What It Is, How It Works, and When to Use It

Q: What is the difference between Base64 and Base64url?

Standard Base64 uses '+' and '/' as the 62nd and 63rd characters, and '=' for padding. Base64url replaces '+' with '-' and '/' with '_', making the output safe to include in URLs and filenames without percent-encoding.

Published April 19, 2026 · 10 min read · SnapUtils

If you have worked with web APIs, email attachments, or data URIs, you have almost certainly encountered strings that look like SGVsbG8gV29ybGQ=. That is Base64 encoding — a way to represent arbitrary binary data using only printable ASCII characters. Despite being ubiquitous, Base64 is frequently misunderstood: developers confuse it with compression, mistake it for encryption, or reach for it in contexts where it causes more problems than it solves.

This guide explains exactly what Base64 is, walks through the encoding algorithm step by step, covers every major use case and anti-pattern, and provides copy-ready code examples in JavaScript, Python, and the command line.

What Is Base64?

Base64 is a binary-to-text encoding scheme that converts arbitrary sequences of bytes into a string made up of 64 printable ASCII characters. The name comes directly from that character set size: 64 possible values per character, which is exactly 6 bits (2^6 = 64).

The encoding was standardised in RFC 4648 and is defined as a way to safely transport binary data through systems that were only designed to handle text. Those systems — old mail servers, certain HTTP headers, XML documents — can corrupt raw binary bytes by interpreting control characters, stripping high bits, or converting line endings. Base64 sidesteps all of those problems by restricting the output to a small, universally safe alphabet.

Key facts to remember:

Base64 is an encoding, not encryption. It provides zero security or confidentiality.
It is fully reversible — decoding requires no key or secret.
It increases data size by approximately 33%.
It is a transformation of the same data, not a compression or summary of it.

How Base64 Works

The algorithm takes bytes as input and produces ASCII characters as output. Understanding it requires thinking in binary, but the mechanics are straightforward once you see them in action.

The Core Idea

A standard byte is 8 bits. Base64 works by regrouping the input bits into 6-bit chunks instead of 8-bit chunks. Each 6-bit group maps to one of 64 characters. Because 8 and 6 share a least common multiple of 24, the algorithm processes input in groups of 3 bytes (24 bits) and produces 4 Base64 characters (24 ÷ 6 = 4) per group.

Step-by-Step Walkthrough: Encoding "Man"

Let's encode the ASCII string Man.

Step 1 — Convert each character to its ASCII byte value:

M = 77 = 01001101
a = 97 = 01100001
n = 110 = 01101110

Step 2 — Concatenate the 24 bits:

010011010110000101101110

Step 3 — Split into four 6-bit groups:

010011 | 010110 | 000101 | 101110

Step 4 — Convert each 6-bit group to its decimal index:

010011 = 19
010110 = 22
000101 = 5
101110 = 46

Step 5 — Look up each index in the Base64 alphabet:

19 → T
22 → W
5 → F
46 → u

Result: Man → TWFu. You can verify this yourself in any Base64 tool or with echo -n 'Man' | base64 in a terminal.

Padding with `=`

The algorithm needs input in groups of 3 bytes. When the input length is not a multiple of 3, padding characters (=) are appended to the output to fill the final group to 4 characters. One = means one byte of padding was added; two == means two bytes were padded. This makes the output length always a multiple of 4, which simplifies decoding.

For example, encoding Ma (2 bytes) produces TWE=, and encoding M (1 byte) produces TQ==.

The Base64 Character Set

The standard Base64 alphabet (RFC 4648 §4) uses 65 characters: 64 value characters plus the = padding character.

Index Range	Characters	Count
0 – 25	`A` through `Z` (uppercase)	26
26 – 51	`a` through `z` (lowercase)	26
52 – 61	`0` through `9` (digits)	10
62	`+`	1
63	`/`	1
padding	`=`	—

All 64 value characters are printable ASCII, which means they survive unmodified through any text-safe transport layer. No null bytes, no control characters, no high-bit bytes — just safe, boring text.

Convert Images to Base64 Instantly

Need to embed an image as a data URI? Paste or drop your file into the SnapUtils Image to Base64 converter and get the encoded string — plus the ready-to-use data: URL — in seconds.

Open Image to Base64 Tool

Common Use Cases for Base64

Email Attachments (MIME)

SMTP, the protocol that moves email between servers, was designed in an era of 7-bit ASCII. File attachments — PDFs, images, Word documents — are binary and contain bytes that SMTP would corrupt or reject. MIME (Multipurpose Internet Mail Extensions) solves this by Base64-encoding attachments and marking them with Content-Transfer-Encoding: base64. Every email client from Outlook to Gmail decodes these transparently when you open an attachment.

Data URIs in HTML and CSS

A data URI embeds a resource directly inside an HTML or CSS file using the format data:[mediatype];base64,[encoded-data]. This is useful for small images or icons that would otherwise require a separate HTTP request. The browser decodes the Base64 and renders the resource as if it had been fetched from a URL. See our Data URI guide for a full breakdown of when this technique is worth the tradeoff.

Storing Binary Data in JSON or XML

JSON supports strings, numbers, booleans, arrays, and objects — but not raw binary. If an API needs to transmit an image thumbnail, a cryptographic signature, or a PDF preview inside a JSON payload, Base64 encoding is the standard approach. The binary data becomes a plain string value that JSON can carry without issue.

HTTP Basic Authentication

The HTTP Basic Auth scheme encodes credentials as username:password in Base64 and sends them in the Authorization header: Authorization: Basic dXNlcjpwYXNz. This is not secure on its own — the credentials are trivially decodable — which is why Basic Auth must only be used over HTTPS.

JSON Web Tokens (JWT)

A JWT consists of three Base64url-encoded sections separated by dots: header, payload, and signature. The header and payload are Base64url-encoded JSON objects. The signature is a Base64url-encoded HMAC or RSA signature over the first two parts. Base64url (discussed below) is used instead of standard Base64 because JWTs are embedded in URLs and HTTP headers.

Cryptographic Keys and Certificates

PEM-format certificates and private keys are Base64-encoded DER (binary) data wrapped in -----BEGIN CERTIFICATE----- markers. Tools like OpenSSL, TLS libraries, and SSH all use this format to represent binary cryptographic material as text that can be copied into config files or transmitted over text channels.

When NOT to Use Base64

Base64 is often applied in situations where it is actively harmful. Knowing what not to do matters as much as knowing what to do.

Do Not Use Base64 as Security

Base64 is completely transparent. Decoding SGVsbG8= takes one command. Treating Base64 as obfuscation provides security theater at best and false confidence at worst. If data needs to be confidential, encrypt it with a proper algorithm (AES-GCM, ChaCha20-Poly1305). If it needs to be tamper-evident, sign it with HMAC or a public-key algorithm. Base64 does neither.

Do Not Base64-Encode Large Files for Storage

Storing large binary files as Base64 in a database inflates their size by 33%, makes them unindexable, and forces the entire file into memory on every read. Use an object store (S3, GCS, Cloudflare R2) for large files and store only the URL. Base64 in storage is only appropriate for very small blobs — tiny thumbnails, small cryptographic tokens — where the convenience of keeping everything in one row outweighs the size cost.

Do Not Use Base64 for Passwords

This should go without saying, but it comes up in audits regularly. Base64-encoded passwords are not hashed passwords. They are plain text passwords that look different. Use a purpose-built password hashing function: bcrypt, Argon2, or scrypt.

Avoid Base64 in Hot Paths

Encoding and decoding Base64 has CPU and memory cost. On modern hardware that cost is small, but it is not zero. Embedding large Base64 images in server-rendered HTML that is generated on every request, for example, adds unnecessary CPU pressure and inflates response sizes, increasing time to first byte. Serve images as separate resources with proper caching headers instead.

Base64 in Different Languages

JavaScript (Browser and Node.js)

In the browser, btoa() encodes and atob() decodes. Both operate on strings, not byte arrays, so for arbitrary binary data you need to handle the conversion explicitly.

// Encode a plain string
const encoded = btoa('Hello, World\!');
console.log(encoded); // SGVsbG8sIFdvcmxkIQ==

// Decode back
const decoded = atob('SGVsbG8sIFdvcmxkIQ==');
console.log(decoded); // Hello, World\!

// Encode a Uint8Array (e.g. from a File or fetch response)
function uint8ArrayToBase64(bytes) {
  let binary = '';
  for (const byte of bytes) {
    binary += String.fromCharCode(byte);
  }
  return btoa(binary);
}

// Decode Base64 back to Uint8Array
function base64ToUint8Array(b64) {
  const binary = atob(b64);
  const bytes = new Uint8Array(binary.length);
  for (let i = 0; i < binary.length; i++) {
    bytes[i] = binary.charCodeAt(i);
  }
  return bytes;
}

In Node.js (v16+), use the built-in Buffer class:

// Encode
const encoded = Buffer.from('Hello, World\!').toString('base64');
console.log(encoded); // SGVsbG8sIFdvcmxkIQ==

// Decode
const decoded = Buffer.from('SGVsbG8sIFdvcmxkIQ==', 'base64').toString('utf8');
console.log(decoded); // Hello, World\!

// Base64url variant (URL-safe, no padding)
const urlSafe = Buffer.from('Hello, World\!').toString('base64url');
console.log(urlSafe); // SGVsbG8sIFdvcmxkIQ

Python

Python's standard library includes the base64 module, which handles all common variants.

import base64

# Encode bytes
data = b'Hello, World\!'
encoded = base64.b64encode(data)
print(encoded)         # b'SGVsbG8sIFdvcmxkIQ=='
print(encoded.decode()) # SGVsbG8sIFdvcmxkIQ==  (as a string)

# Decode
decoded = base64.b64decode('SGVsbG8sIFdvcmxkIQ==')
print(decoded)         # b'Hello, World\!'

# URL-safe Base64 (Base64url)
url_encoded = base64.urlsafe_b64encode(data)
print(url_encoded)     # b'SGVsbG8sIFdvcmxkIQ=='

# Encode a file
with open('image.png', 'rb') as f:
    file_b64 = base64.b64encode(f.read()).decode()
    print(f'data:image/png;base64,{file_b64[:40]}...')

Command Line (Linux / macOS)

The base64 utility ships with most Unix-like systems and is useful for quick encoding tasks and scripting.

# Encode a string
echo -n 'Hello, World\!' | base64
# SGVsbG8sIFdvcmxkIQ==

# Decode
echo 'SGVsbG8sIFdvcmxkIQ==' | base64 --decode
# Hello, World\!

# Encode a file
base64 image.png > image.b64

# Decode a file
base64 --decode image.b64 > image_restored.png

# macOS uses -D instead of --decode
echo 'SGVsbG8=' | base64 -D

Encode Any Image to Base64 Without Writing Code

The SnapUtils Image to Base64 tool converts JPEG, PNG, GIF, WebP, and SVG files to Base64 data URIs in one click — no installation, no signup, no data stored server-side.

Try Image to Base64

Base64 Variants

Base64url (URL-Safe Base64)

Standard Base64 uses + and / as its 62nd and 63rd characters. Both are special characters in URLs: + is interpreted as a space in query strings, and / is a path separator. When Base64 output needs to appear in a URL, filename, or HTTP header without percent-encoding, the Base64url variant is used instead. It makes two character substitutions:

+ is replaced with - (hyphen)
/ is replaced with _ (underscore)

Padding (=) is often omitted in Base64url contexts because it can also cause issues in URLs. JWTs, for example, use unpadded Base64url throughout.

MIME Base64

MIME Base64 (RFC 2045) is the flavour used inside email messages. It is identical to standard Base64 in its alphabet but adds one rule: the output must be broken into lines of at most 76 characters, with each line terminated by CRLF (\r\n). This was a concession to mail servers that truncated long lines. Most modern Base64 decoders accept both line-broken and continuous output, so this distinction rarely causes problems today.

Base64 Without Padding

Some protocols omit the trailing = padding characters entirely, relying on the receiver to infer the correct number of padding characters from the string length. This is common in JWTs, URL tokens, and cryptographic key representations. Decoders must handle both padded and unpadded input gracefully.

Performance Considerations

Base64 is fast — encoding and decoding a megabyte of data takes a few milliseconds on modern hardware. But the 33% size overhead compounds at scale. Consider these practical implications:

Network transfer: A 1 MB PNG embedded as a Base64 data URI in HTML is sent as ~1.37 MB of ASCII characters. Served as a separate binary response with Content-Type: image/png, it is 1 MB. The difference multiplies across many users and requests.
Browser parsing: Browsers parse HTML as text. A large Base64 string in an img src attribute must be parsed as part of the HTML document before it can be decoded. Separate image resources are fetched in parallel and decoded independently.
Caching: A standalone image can be cached by the browser and served from disk on subsequent visits. A Base64 data URI embedded in HTML is only cached if the entire HTML document is cached — which is usually not desirable for dynamic pages.
Memory: Decoding Base64 in JavaScript or Python requires allocating both the encoded string and the resulting byte array simultaneously. For large files, this can double peak memory usage.

The practical rule: use Base64 inline only for resources under roughly 4–8 KB, where saving an HTTP round-trip outweighs the size and caching costs. For everything larger, link to separate resources.

Frequently Asked Questions

Is Base64 a form of encryption?

No. Base64 is an encoding scheme, not encryption. It is fully reversible with no key or secret required. Anyone with a Base64-encoded string can decode it instantly. Never rely on Base64 for security or confidentiality.

How much larger does Base64 make data?

Base64-encoded data is approximately 33% larger than the original binary input. Every 3 bytes of input become 4 ASCII characters of output, because 6 bits are packed into each character instead of 8. Padding can add up to 2 extra characters per encoding operation, but this overhead is negligible for anything beyond a few bytes.

What is the difference between Base64 and Base64url?

Standard Base64 uses + and / as the 62nd and 63rd characters, and = for padding. Base64url replaces + with - and / with _, making the output safe to include in URLs and filenames without percent-encoding. Padding is often omitted in Base64url contexts. JWTs use Base64url throughout.

Can Base64 encode any type of file?

Yes. Base64 operates on raw bytes, so it can encode images, audio, video, PDFs, executables, or any other binary file format. The decoder reconstructs the original bytes exactly. The encoding is lossless and format-agnostic — it has no understanding of the file's structure or content.

Why do emails use Base64?

The SMTP protocol that carries email was originally designed for 7-bit ASCII text. Attachments and non-ASCII characters are Base64-encoded so they survive transmission through mail servers that strip or alter 8-bit bytes. MIME defines the Content-Transfer-Encoding: base64 header to signal that a message part is Base64-encoded, allowing compliant clients to decode it automatically.