What Is Base64?
Base64 is an encoding scheme that represents binary data as a sequence of printable ASCII characters. It takes any sequence of bytes — whether that is an image, a PDF, or raw binary — and encodes it into a string made up of only 64 safe characters: A–Z, a–z, 0–9, +, and / (with = used for padding).
The name "Base64" comes from the fact that the encoding uses a base-64 numeral system.
The 64 Characters
| Group | Characters |
|---|---|
| Uppercase | A–Z (26) |
| Lowercase | a–z (26) |
| Digits | 0–9 (10) |
| Symbols | +, / (2) |
| Padding | = |
There are also URL-safe variants that replace + with - and / with _, avoiding conflicts with URL special characters.
How Base64 Encoding Works
Base64 works by converting every 3 bytes of binary data into 4 Base64 characters.
- Take 3 bytes (24 bits) of input
- Split into four 6-bit groups
- Map each 6-bit value to a character in the Base64 alphabet
Example: Encoding the string "Man"
| Character | M | a | n |
|---|---|---|---|
| ASCII | 77 | 97 | 110 |
| Binary | 01001101 | 01100001 | 01101110 |
Combined: 010011010110000101101110
Split into 6-bit groups: 010011 010110 000101 101110
Mapped: T W F u → "TWFu"
If the input is not a multiple of 3 bytes, padding with = characters is used to complete the last group.
Size Overhead
Base64 encoding increases data size by approximately 33% (every 3 bytes become 4 characters). Factor this in when deciding to use Base64 for large data.
A Brief History
Base64 was developed in the context of MIME (Multipurpose Internet Mail Extensions), standardized in 1992 by RFC 1341. Email systems were originally designed to transmit only 7-bit ASCII text, but attachments like images and documents are binary data. Base64 solved this by encoding binary data as plain text that could safely transit email infrastructure.
The name and concept appeared even earlier in Unix uuencode (a different but related scheme), but MIME's Base64 became the lasting standard.
Common Use Cases
1. Embedding Images in HTML/CSS
Instead of referencing an external image file, you can embed an image directly using a Base64-encoded data URI:
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..." />
When to use: Small icons or images that save on HTTP requests in the critical rendering path.
When to avoid: Large images — the 33% size overhead plus the inability to cache the image separately outweigh the benefits.
2. HTTP Basic Authentication
HTTP Basic Auth sends credentials as a Base64-encoded string in the Authorization header:
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=
This is username:password encoded in Base64. Important: This is NOT encryption — it is trivially decoded. Always use HTTPS with Basic Auth.
3. JWT (JSON Web Tokens)
JWT tokens are composed of three Base64URL-encoded sections separated by dots: header, payload, and signature. The header and payload are readable (not encrypted) — Base64 here is purely for transport encoding.
4. Email Attachments (MIME)
As Base64's origin use case: email clients encode binary attachments (images, PDFs, etc.) in Base64 to safely transmit them through email infrastructure.
5. Storing Binary Data in JSON or XML
Since JSON and XML only support text, binary data (like encryption keys or small images) is often Base64-encoded before inclusion.
6. Data URLs in CSS
Background images can be inlined in CSS:
background-image: url('data:image/svg+xml;base64,PHN2ZyB4...');
Base64 Variants
| Variant | Characters | Use Case |
|---|---|---|
| Standard Base64 | A–Z a–z 0–9 + / |
General purpose |
| URL-safe Base64 | A–Z a–z 0–9 - _ |
URLs, filenames, JWTs |
| Base64 without padding | Omits = |
Some APIs prefer this |
| MIME Base64 | Standard + line breaks every 76 chars |
Security Considerations
Base64 Is NOT Encryption
This is the most critical point: Base64 is an encoding, not encryption. Anyone who has the Base64 string can decode it instantly — no key required. Never use Base64 to "hide" sensitive information.
echo "dXNlcm5hbWU6cGFzc3dvcmQ=" | base64 --decode
# Outputs: username:password
Don't Encode Passwords in Base64
Storing passwords as Base64 offers zero security. Use proper password hashing algorithms like bcrypt, Argon2, or scrypt instead.
XSS Risks with Data URIs
While Base64 data URIs themselves are safe, malicious JavaScript can be encoded and executed via data:text/html;base64,... URIs in some browser contexts. Most modern browsers restrict this for <a> link navigation and <iframe> sources, but always sanitize user-supplied data URIs.
Base64 in Programming Languages
JavaScript
// Encode
const encoded = btoa("Hello, World!"); // "SGVsbG8sIFdvcmxkIQ=="
// Decode
const decoded = atob("SGVsbG8sIFdvcmxkIQ=="); // "Hello, World!"
// For binary data / files, use FileReader or Buffer
Note: btoa/atob only work with Latin-1 strings in browsers. For Unicode, you need a workaround:
// Unicode-safe encode
const encoded = btoa(unescape(encodeURIComponent("こんにちは")));
Or use the modern TextEncoder API with a Buffer in Node.js:
Buffer.from("Hello").toString("base64");
Buffer.from("SGVsbG8=", "base64").toString("utf8");
Python
import base64
# Encode
encoded = base64.b64encode(b"Hello, World!").decode("utf-8")
# "SGVsbG8sIFdvcmxkIQ=="
# Decode
decoded = base64.b64decode("SGVsbG8sIFdvcmxkIQ==").decode("utf-8")
# "Hello, World!"
# URL-safe variant
url_safe = base64.urlsafe_b64encode(b"Hello+World/")
Performance Considerations
- Encoding/decoding is fast: For most use cases, Base64 overhead is negligible.
- Size overhead: ~33% larger than binary. Avoid for large files (MB+) transmitted frequently.
- CPU cache pressure: Encoding large binary files in memory may put pressure on the CPU cache.
For large binary transfers, prefer binary protocols (HTTP/2 with binary framing, WebSocket binary frames, gRPC with protobuf) over Base64.
Summary
Base64 is one of those foundational technologies that underlies much of the modern web without most developers thinking about it. It solves a specific problem well: safely encoding binary data as printable text for transmission in text-based systems.
Use Base64 when: You need to embed binary data in text contexts (HTML, JSON, email, headers).
Do not use Base64 when: You want to encrypt or secure data — Base64 is completely reversible without any key.