Base64 encoding is one of those things that appears everywhere — in JWT tokens, in email attachments, in data URIs, in HTTP Basic Auth headers — but is rarely explained clearly. Here is a practical guide to what it is, why it was invented, and when you should and should not use it.
What Is Base64?
Base64 is an encoding scheme that converts binary data (bytes) into a string of 64 printable ASCII characters. Those 64 characters are: A–Z (26), a–z (26), 0–9 (10), + and / (2) — plus = used as padding.
The core problem Base64 solves: not all data transfer systems handle arbitrary bytes safely. Email protocols, HTTP headers, and many older systems were designed to carry text, not binary data. A byte value of 0x00 (null), 0x0A (newline), or 0x1B (escape) can corrupt or terminate a text-based transmission.
Base64 sidesteps this by encoding any binary data as a string of safe, printable characters that nothing misinterprets.
How Does Base64 Work?
The algorithm is straightforward:
- Take the input bytes in groups of 3
- Each group of 3 bytes (24 bits) becomes 4 Base64 characters (6 bits each)
- If the input isn't divisible by 3, pad with
= characters to make the output a multiple of 4
That 4:3 ratio explains why Base64 output is always ~33% larger than the input.
Example: the string hello (5 bytes) encodes to aGVsbG8= (8 characters).
Common Uses of Base64
JWT tokens — JSON Web Tokens are three Base64url-encoded sections (header, payload, signature) joined by dots. The token eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWxleCJ9.xyz is Base64-decodable — you can read the header and payload without a key. This is intentional: JWT is encoded, not encrypted.
HTTP Basic Authentication — the Authorization header for Basic Auth is Basic <base64(username:password)>. For example, admin:password encodes to YWRtaW46cGFzc3dvcmQ=. This is why Basic Auth must only be used over HTTPS — anyone who sees the header can decode it instantly.
Email attachments (MIME) — email protocols were designed for ASCII text. Attachments (PDFs, images, archives) are Base64-encoded within the email body using MIME multipart format. This is why email files are larger than the attachments they contain.
Data URIs — you can embed an image directly in HTML or CSS without a separate file request: 
API payloads — some APIs use Base64 to transmit binary data (images, audio) as a JSON string field rather than as a separate binary upload.
Base64 in Code
JavaScript (browser):
`<code>javascript</p>
<p>btoa("hello") // → "aGVsbG8="</p>
<p>atob("aGVsbG8=") // → "hello"</p>
</code>
JavaScript (Node.js):
<code>javascript
<p>Buffer.from("hello").toString("base64") // encode</p>
<p>Buffer.from("aGVsbG8=", "base64").toString() // decode</p>
</code>
Python:
<code>python
<p>import base64</p>
<p>base64.b64encode(b"hello") # → b'aGVsbG8='</p>
<p>base64.b64decode("aGVsbG8=") # → b'hello'</p>
</code>
PHP:
<code>php
<p>base64_encode("hello"); // "aGVsbG8="</p>
<p>base64_decode("aGVsbG8="); // "hello"</p>
</code>
Command line:
<code>bash
<p>echo -n "hello" | base64 # encode</p>
<p>echo "aGVsbG8=" | base64 --decode # decode</p>
</code>
URL-Safe Base64
Standard Base64 uses + and /, which have special meaning in URLs. For tokens used in URLs (OAuth codes, JWT in URL parameters, signed URLs), use URL-safe Base64, which replaces + with - and / with _.
Most languages have dedicated URL-safe Base64 functions:
- Python: base64.urlsafe_b64encode()
- Ruby: Base64.urlsafe_encode64()
- Go: base64.URLEncoding`
What Base64 Is Not
Not encryption. Base64 is trivially reversible — it's encoding, not encryption. Never use Base64 to "hide" sensitive data. Use AES-256 or a proper encryption library.
Not compression. Base64 output is 33% larger than the input. It does not compress data; it expands it.
Not hashing. Unlike SHA-256 or bcrypt, Base64 is reversible. It is not suitable for storing passwords or creating one-way digests.
Quick Tool
For one-off encoding and decoding — pasting a JWT to inspect its payload, encoding credentials for an API header, or converting an image to a data URI — the SnappyTools Base64 Encoder / Decoder handles it in-browser with no data sent to any server.
Base64 is a simple, well-understood tool with a specific purpose: safely transmitting binary data through text-only channels. Knowing when it applies — and when it doesn't — is a fundamental part of working with web APIs and data formats.