How Base64 Works
Base64 converts binary data into a string of printable ASCII characters. It works by taking 3 bytes (24 bits) of binary data and splitting them into 4 groups of 6 bits. Each 6-bit group maps to one of 64 characters: A–Z, a–z,0–9, +, and /.
If the input isn't a multiple of 3 bytes, padding (=) is added to make the output length a multiple of 4.
Man01001101 01100001 01101110010011 010110 000101 101110TWFuCommon Use Cases
HTTP Authorization
Basic Auth credentials (username:password) are Base64-encoded in the Authorization: Basic … header.
Data URIs
Images, fonts, and other binary assets can be embedded directly in HTML and CSS as data:image/png;base64,…
Email Attachments
MIME (the email attachment standard) uses Base64 to encode binary file attachments as ASCII-safe text.
JSON Payloads
JSON only supports Unicode text. Binary data (like images or files) must be Base64-encoded before embedding in a JSON field.
JWT Tokens
JSON Web Tokens use URL-safe Base64 (Base64url) to encode the header, payload, and signature sections.
Cryptographic Keys
Public keys, private keys, and certificates (PEM format) use Base64-wrapped binary data with -----BEGIN …----- headers.
Standard vs. URL-Safe Base64
| Feature | Standard Base64 | URL-Safe Base64 |
|---|---|---|
| RFC | RFC 2045, RFC 4648 | RFC 4648 §5 |
| Char 62 | + | - |
| Char 63 | / | _ |
| Padding | = | = (often omitted) |
| Safe in URLs | ❌ Must percent-encode | ✅ No escaping needed |
| Safe in filenames | ❌ | ✅ |
| Used in JWT | ❌ | ✅ |
Base64 Is Not Encryption
Base64 encoding provides zero security. Any encoded string can be trivially decoded by anyone with access to it. Never use Base64 to protect passwords, tokens, or sensitive personal data. Use proper cryptographic algorithms (AES-256, bcrypt, Argon2, RSA) for security-sensitive operations.