Base64 is a binary-to-text encoding scheme that converts arbitrary binary data into a string of printable ASCII characters. It is not encryption — it provides no security on its own — but it solves a very specific and common engineering problem: how to safely transmit binary data through systems that were designed to handle only text.
Why Base64 exists
Many older protocols — email (SMTP), HTTP headers, and XML — were designed to carry only printable ASCII characters. Binary data like images, PDFs, or executables contains bytes that map to control characters or have special meaning in those protocols. Sending raw binary through these channels corrupts or truncates the data.
Base64 solves this by encoding every 3 bytes of binary data into 4 printable characters chosen from a 64-character alphabet: A–Z, a–z, 0–9, +, and /. The = character is used as padding when the input length is not a multiple of three. The result is always safe to embed in any text-based system.
How it works
The algorithm groups input bytes into 6-bit chunks (since 2⁶ = 64, matching the alphabet size). Three input bytes (24 bits) produce four 6-bit groups, each mapped to one Base64 character. This means Base64 output is always exactly ⌈n/3⌉ × 4 characters long — roughly 33% larger than the original.
For example, the ASCII string Man (three bytes: 77, 97, 110) encodes to TWFu. The single byte M (77) encodes to TQ==, where == is padding to reach a 4-character boundary.
Common real-world uses
Email attachments. The MIME standard uses Base64 to encode binary attachments (PDFs, images, archives) so they can travel through SMTP servers that only handle 7-bit ASCII text.
Data URIs. HTML and CSS embed small images or fonts directly in source files using data URIs: src="data:image/png;base64,iVBORw0KGgo...". This eliminates an extra HTTP request for small assets.
JSON Web Tokens (JWTs). JWTs use Base64URL — a URL-safe variant that replaces + with - and / with _ and omits padding — to encode their header and payload so they can be safely sent in HTTP headers and URL query parameters.
API credentials. HTTP Basic Authentication sends credentials as Base64(username:password). This is still not encryption — it can be decoded by anyone — which is why Basic Auth must always be used over HTTPS.
When NOT to use Base64
Do not use Base64 as a form of security or obfuscation. It is trivially reversible. Anyone who sees a Base64 string can decode it instantly. If you need to protect data, use proper encryption (AES-GCM, RSA-OAEP) or hashing (SHA-256 with a salt for passwords).
Also avoid Base64 for large binary assets served directly to users (images, videos). The 33% size overhead and lack of compression make it inefficient compared to serving binary files directly with appropriate Content-Type headers.
Try it yourself
Use the Base64 Encoder or Base64 Decoder on TextUtils to experiment with encoding and decoding directly in your browser — no data is sent to any server.