Base64April 20265 min read

What is Base64 Encoding? A Plain English Explanation for Developers

Base64 is a way to represent binary data as plain text using only 64 safe characters. You've seen it in JWT tokens, API keys, email attachments, and data URIs — but what is it actually doing? This guide explains it simply.

The problem Base64 solves

Computers store everything as binary — sequences of 0s and 1s. When you need to send that binary data through a channel designed for text (like email, HTTP headers, or JSON), some bytes get mangled. Control characters, null bytes, and non-ASCII characters can corrupt the data or confuse the receiving system.

Base64 solves this by converting binary data into a safe subset of ASCII characters — specifically the 64 characters: A–Z, a–z, 0–9, plus (+) and slash (/). Every system that can handle text can handle Base64 without corruption.

One sentence summary: Base64 takes arbitrary bytes and converts them into readable text characters so data can travel safely through text-only channels.

Why 64? Where does the name come from?

The encoding uses exactly 64 characters because 6 bits can represent 64 different values (2^6 = 64). The algorithm takes every 3 bytes of input (24 bits) and splits them into four groups of 6 bits. Each 6-bit group maps to one of the 64 characters. This is why Base64-encoded output is always about 33% larger than the original input — you're using 4 characters to represent every 3 bytes.

A simple example

example
Plain text:   Hello
Base64:       SGVsbG8=

Plain text:   DevTools Hub
Base64:       RGV2VG9vbHMgSHVi

Notice the = at the end of the first example. That's padding — Base64 always produces output in multiples of 4 characters, so = or == is appended when the input length isn't a multiple of 3.

Where you encounter Base64 as a developer

  • JWT tokens: The header and payload sections of a JWT are Base64url-encoded (a URL-safe variant that uses - and _ instead of + and /)
  • HTTP Basic Authentication: Credentials are sent as Authorization: Basic dXNlcjpwYXNz where the value is Base64 of "username:password"
  • Data URIs: Inline images in HTML/CSS use data:image/png;base64,iVBORw0KGgo...
  • API keys and secrets: Many services deliver secrets as Base64 strings
  • Kubernetes secrets: All secret values in k8s manifests are Base64-encoded
  • Email attachments (MIME): File attachments in emails are Base64-encoded so they survive email transport
  • SSH keys: The public key in your ~/.ssh/authorized_keys file is Base64-encoded

Base64 is NOT encryption

This is the most important thing to understand. Base64 is encoding, not encryption. Anyone can decode a Base64 string instantly — there is no key, no secret, no security. It is purely a format conversion.

Never use Base64 to "secure" sensitive data. If you Base64-encode a password and store it, it is essentially stored in plain text. Use proper encryption (AES, RSA) or hashing (bcrypt, argon2) for security purposes.

Base64 in JavaScript

javascript
// Encode
btoa("Hello, World!")  // "SGVsbG8sIFdvcmxkIQ=="

// Decode
atob("SGVsbG8sIFdvcmxkIQ==")  // "Hello, World!"

// For Unicode strings, use this pattern:
btoa(unescape(encodeURIComponent("Hello 🌍")))

// Node.js
Buffer.from("Hello").toString("base64")   // encode
Buffer.from("SGVsbG8=", "base64").toString()  // decode

Base64url — the URL-safe variant

Standard Base64 uses + and / which have special meaning in URLs. Base64url replaces these with - and _ respectively, and omits padding. This is the variant used in JWT tokens and many web APIs.

comparison
Standard Base64:  SGVsbG8+IFdvcmxkLw==
Base64url:        SGVsbG8-IFdvcmxkLw    (no padding, - instead of +, _ instead of /)

Try encoding and decoding Base64 strings right in your browser — no signup required.

Open Base64 Tool →
← Previous
Cron Job Every Weekday at 9 AM
Next →
How to Decode a JWT Token