Deep Dive

Base64 Encoding Explained: Principles and Real-world Use Cases

2026-03-13 ~9 min read Base64, JWT, Data URI
HomeBlog › Base64 Encoding Explained

What Is Base64?

Base64 is a method for encoding arbitrary binary data as plain ASCII text. It uses a set of 64 printable characters (A-Z, a-z, 0-9, +, /) to represent any byte sequence. It is commonly used in scenarios where binary data must be transmitted through text-based protocols such as HTTP or SMTP email.

The "64" in Base64 refers to the size of the character set used. Each Base64 character represents 6 bits of data (2^6 = 64).

Base64 is NOT encryption! It is simply an encoding scheme. Anyone can decode a Base64 string directly — it provides no security protection whatsoever.

The Base64 Character Set

IndexCharIndexCharIndexCharIndexChar
0A16Q32g48w
1B17R33h49x
2C18S34i50y
3D19T35j51z
4E20U36k520
5F21V37l531
6G22W38m542
7H23X39n553
8I24Y40o564
9J25Z41p575
10K26a42q586
11L27b43r597
12M28c44s608
13N29d45t619
14O30e46u62+
15P31f47v63/

There is also a special padding character = used to fill out the encoded length.

How Base64 Encoding Works (Step by Step)

Base64 converts every 3 bytes (24 bits) of input into 4 Base64 characters (6 bits each). The steps are:

  1. Split the input data into groups of 3 bytes.
  2. Regroup the 3 bytes (24 bits) into 4 groups of 6 bits each.
  3. Look up the corresponding Base64 character for each 6-bit value.
  4. If the last group has fewer than 3 bytes, append = padding characters.

Example: Encoding "Man"
M = 0x4D = 01001101
a = 0x61 = 01100001
n = 0x6E = 01101110

24 bits: 010011 010110 000101 101110
Indices: 19, 22, 5, 46
Result: T, W, F, u → TWFu

Padding Mechanism

Because Base64 processes 3 bytes at a time, padding is needed when the input length is not a multiple of 3:

// JavaScript examples
btoa("A")    // → "QQ=="  (1 byte, 2 padding chars)
btoa("AB")   // → "QUI="  (2 bytes, 1 padding char)
btoa("ABC")  // → "QUJD"  (3 bytes, no padding)
btoa("Man")  // → "TWFu"  (3 bytes, no padding)

URL-safe Base64

Standard Base64 uses the characters + and /, which have special meaning in URLs (+ represents a space, / is a path separator). Placing them directly in a URL can cause parsing errors.

To solve this, RFC 4648 defines a URL-safe Base64 variant:

// JavaScript: standard Base64 to URL-safe Base64
function toUrlSafeBase64(str) {
  return btoa(str)
    .replace(/\+/g, '-')
    .replace(/\//g, '_')
    .replace(/=/g, '');
}

// Restore URL-safe Base64 to standard Base64
function fromUrlSafeBase64(str) {
  var b64 = str.replace(/-/g, '+').replace(/_/g, '/');
  while (b64.length % 4 !== 0) {
    b64 += '=';
  }
  return atob(b64);
}

Real-world Use Cases

1. JWT (JSON Web Token)

A JWT consists of three URL-safe Base64-encoded parts separated by .:

// JWT structure: header.payload.signature
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

// Decode the payload portion
atob('eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0')
// → '{"sub":"1234567890","name":"John Doe"}'

2. Image Data URIs

Embed images directly in HTML or CSS to avoid extra HTTP requests:

<!-- Embedding a small image in HTML -->
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEAAAABCAYAAAAfFcSJAAAADUlEQVR42mNk+M9QDwADhgGAWjR9awAAAABJRU5ErkJggg==" alt="1x1 pixel">

/* Embedding a background image in CSS */
.icon {
  background-image: url('data:image/svg+xml;base64,PHN2Zy4uLjwvc3ZnPg==');
}

3. HTTP Basic Authentication

HTTP Basic Auth uses Base64 to transmit credentials (note: this is NOT encryption — it is only encoding!):

// Username: admin, Password: password123
const credentials = btoa('admin:password123');
// → "YWRtaW46cGFzc3dvcmQxMjM="

fetch('/api/data', {
  headers: {
    'Authorization': 'Basic ' + credentials
  }
});

4. Email Attachments (MIME)

The SMTP email protocol is a text-based protocol. Binary attachments must be Base64-encoded to be safely transmitted in an email. This is actually the original use case that Base64 was designed for.

Data Size Overhead

Base64 encoding increases the data size by approximately 33% (every 3 bytes becomes 4 characters). With line breaks (every 76 characters), the actual overhead is about 36-37%. This should be considered when deciding whether to embed images as data URIs.

Original SizeBase64 SizeOverhead
1 KB~1.37 KB+37%
10 KB~13.7 KB+37%
100 KB~137 KB+37%
1 MB~1.37 MB+37%

Security Considerations

Base64 is NOT encryption!
Base64 is just encoding. Anyone can decode it immediately to see the original content. Never use Base64 to "protect" sensitive data such as passwords or API keys — you must use a proper encryption mechanism separately.

HTTP Basic Auth Security
HTTP Basic Auth transmits credentials using Base64, which must be used together with HTTPS (TLS). Without HTTPS, the username and password are effectively transmitted in plaintext and can be intercepted.

Try the Base64 Encoding Tool Now

Switch to Base64 mode and encode or decode your text instantly.

Go to the Tool