← Back to Blog

What Is Base64 and How Does It Work?

Published on February 10, 2026 · 6 min read

If you've spent any time working with web APIs, email attachments, or storing binary data in databases, you've probably come across Base64. It's one of those technologies that quietly powers a lot of the modern internet without most users ever knowing it exists.

The Problem Base64 Solves

Computers store everything as bytes — images, videos, documents, you name it. But many systems designed for text (like email, JSON, XML, and URLs) can only handle printable ASCII characters reliably. Some bytes have special meanings:

  • Null byte (0x00): Terminates strings in C and many protocols.
  • Newline (0x0A, 0x0D): Gets modified by text editors and email systems.
  • Control characters (0x00-0x1F): Can break protocols or get stripped.
  • Non-ASCII bytes (>0x7F): Get corrupted in legacy systems that assume 7-bit text.

Base64 solves this by converting arbitrary binary data into a safe set of 64 printable ASCII characters: A-Z, a-z, 0-9, +, and /, plus = for padding.

How Base64 Encoding Works

The process is surprisingly elegant. Here's the step-by-step breakdown:

  1. Take 3 bytes at a time(24 bits total). If the input isn't divisible by 3, padding is added.
  2. Split those 24 bits into 4 groups of 6 bits each.
  3. Convert each 6-bit value (0-63) to a character using the Base64 alphabet table.

Let's walk through a concrete example. Say we want to encode "Man":

Step 1: ASCII values of "Man"

M = 77 = 01001101

a = 97 = 01100001

n = 110 = 01101110

Step 2: Concatenated 24 bits

01001101 01100001 01101110

Step 3: Split into 4 groups of 6 bits

010011 010110 000101 101110

Step 4: Convert to Base64 characters

19 = T, 22 = W, 5 = F, 46 = u

Result: "TWFu"

Padding: What About the = Signs?

You've probably noticed Base64 strings sometimes end with = or ==. This happens when the input length isn't a multiple of 3:

  • 1 byte remaining: Encodes to 2 Base64 characters + == padding. Example: "a" becomes "YQ=="
  • 2 bytes remaining: Encodes to 3 Base64 characters + = padding. Example: "ab" becomes "YWI="
  • 3 bytes (complete group): No padding needed. Example: "abc" becomes "YWJj"

Why 33% Size Increase?

This is a common question. Here's the math:

  • 3 bytes (24 bits) become 4 Base64 characters (4 × 6 = 24 bits).
  • That's 4 characters to represent 3 bytes, or 4/3 = 1.33× the original size.
  • With padding and newlines (in MIME), the overhead is closer to 37%.

This is the trade-off: you gain safety across text-based systems at the cost of about one-third more data. For small payloads like API tokens or image thumbnails, this is usually acceptable. For large files, it adds up quickly.

Where Is Base64 Used?

  • Email attachments (MIME):When you send an email with a photo attached, it's typically Base64-encoded so it survives the journey through different email servers.
  • Data URIs in HTML/CSS: Embedding small images directly in web pages using data:image/png;base64,... format.
  • JWT tokens: JSON Web Tokens use URL-safe Base64 to encode their header, payload, and signature.
  • Storing binary in databases: When you need to store an image or file in a text-only column (like a VARCHAR), Base64 is the go-to solution.
  • Basic authentication:HTTP Basic Auth encodes "username:password" in Base64 (though it's not encryption — it's easily decoded).
  • Cryptographic keys: Public and private keys are often distributed in Base64-encoded PEM format.

Is Base64 Secure?

This is a common misconception. Base64 is not encryption.It's an encoding scheme, like converting a number from decimal to hexadecimal. Anyone can decode Base64 instantly — there's no key involved.

Think of it like a shipping container: it protects the contents during transit (prevents corruption in text-based systems), but it doesn't lock them. If you need security, use encryption (like AES) before Base64 encoding.

Base64 vs Base64URL: What's the Difference?

Standard Base64 uses + and / characters, which have special meaning in URLs. Base64URL (or URL-safe Base64) replaces them:

  • + becomes - (minus sign)
  • / becomes _ (underscore)
  • Padding (=) is usually stripped

This makes Base64URL safe to use in query parameters, path segments, and JWT tokens without additional URL-encoding.

Common Misconceptions

  • "Base64 compresses data":No, it expands data by 33%. It's the opposite of compression.
  • "Base64 is encryption":No, it's encoding. Decoding requires no key and is trivially reversible.
  • "Base64 makes data smaller for transmission": It makes it larger, but it makes it safe for text-only channels.
  • "All Base64 strings end with ==": Only when the input length mod 3 equals 1. Many Base64 strings have one or zero padding characters.

Conclusion

Base64 is a fundamental encoding scheme that bridges the gap between binary data and text-based systems. It's not glamorous, but it's everywhere — from the email in your inbox to the JWT token authenticating your API requests. Understanding how it works helps you make better decisions about when to use it and when to look for alternatives.

Try our Base64 Encoder & Decoder to experiment with encoding and decoding your own data, or check out the URL-Safe Encoder for JWT and URL use cases.