Published May 8, 2026 · By Tom Cannon
If you work with web development, APIs, or data processing, you've encountered Base64. It appears in data URIs, email attachments, authentication headers, and countless other places. But what exactly is Base64, how does it work, and when should (and shouldn't) you use it?
Base64 is a binary-to-text encoding scheme that converts any data into a string of printable ASCII characters. The name comes from the fact that it uses 64 different characters to represent data: A-Z (26), a-z (26), 0-9 (10), + and / (2), plus = for padding. Every 3 bytes of input data become 4 Base64 characters. This means Base64-encoded data is always about 33% larger than the original — the price you pay for text-safe representation.
The encoding process takes 3 bytes (24 bits) of input at a time and splits them into four 6-bit groups. Each 6-bit value (0-63) maps to one of the 64 characters in the Base64 alphabet. If the input length isn't divisible by 3, the output is padded with one or two = characters. For example, the text "Hi" (2 bytes) encodes to "SGk=" — the = indicates one byte of padding was needed to fill the final 3-byte group.
Data URIs in HTML/CSS: Embed small images directly in your HTML or CSS without separate HTTP requests: <img src="data:image/png;base64,iVBOR...">. This eliminates a network round-trip for small icons and graphics, improving page load speed. Best for images under 2-3 KB — larger images are better served as separate files. Email attachments (MIME): Email was designed to carry only text. Binary attachments like images and PDFs are Base64-encoded so they can travel through email servers that only handle ASCII text. Your email client encodes attachments automatically and decodes them when you open them. API authentication: HTTP Basic Auth encodes the username:password pair in Base64: Authorization: Basic dXNlcjpwYXNz. Important: this is encoding, not encryption — anyone can decode it. Always use HTTPS with Basic Auth. JSON payloads: When an API needs to include binary data (like a file or image) in a JSON response, Base64 encoding is the standard approach since JSON only supports text strings. URL-safe data: Base64url (a variant that uses - and _ instead of + and /) is used in JWTs, signed URLs, and other places where data needs to be URL-safe.
This is the most common misconception about Base64. Encoding is a reversible transformation that anyone can undo — it provides zero security. Never use Base64 to "hide" passwords, API keys, or sensitive data. If you see a Base64 string in a config file or URL, you can decode it instantly with our Base64 decoder or any programming language's built-in function.
Avoid Base64 for large files — the 33% size increase adds up fast. A 1 MB image becomes 1.33 MB when Base64-encoded, and embedding it in HTML/CSS makes the page itself that much larger. For files over a few KB, serve them as separate files and let the browser cache them. Don't use Base64 for security or encryption — it's encoding, not protection. Don't use Base64 when the transport supports binary data natively — HTTP can transfer binary files directly, so there's no need to Base64-encode file uploads in a multipart form.
Every major programming language has built-in Base64 support. JavaScript: btoa() to encode, atob() to decode (or the newer Buffer.from() in Node.js). Python: base64.b64encode() and base64.b64decode(). Java: Base64.getEncoder().encode() and Base64.getDecoder().decode(). For quick encoding and decoding without writing code, our Base64 tool handles it instantly in your browser.
Free weekly tips on image optimization, PC gaming, and web development. No spam.
We respect your privacy. Unsubscribe anytime.