What Is Base64 Encoding? How to Encode and Decode Online

By FreeToolBox Team Β· Β·
base64encodingdeveloperwebdata

Base64 is one of those encodings that appears constantly in developer work β€” in JWT tokens, email attachments, data URIs, API responses β€” yet many developers still can’t explain exactly how it works. This article demystifies Base64: what it is, why it exists, how the algorithm transforms bytes into text, and the most important misconception to avoid.

What Is Base64?

Base64 is a binary-to-text encoding scheme. It takes arbitrary binary data β€” bytes that can be any value from 0 to 255 β€” and represents them as a string of 64 printable ASCII characters: A–Z, a–z, 0–9, +, and /. That set of 64 characters (plus = for padding) is safe to transmit through systems that only handle text.

The name comes directly from the character set size: 64 possible values per position, meaning each character encodes exactly 6 bits of information (2⁢ = 64).

Why Does Base64 Exist?

Many protocols and storage formats were originally designed for human-readable text only. Email (SMTP), HTTP headers, HTML attributes, and JSON fields all assume plain text. When you need to send a PNG image, a PDF, or raw bytes through one of these channels, you need a way to represent binary data as safe ASCII. Base64 is the standard answer.

Common places you encounter it:

  • Email attachments β€” the MIME standard encodes them as Base64 internally
  • Data URIs β€” <img src="data:image/png;base64,iVBOR..."> embeds images directly in HTML without a separate request
  • JWT tokens β€” the header and payload sections are Base64url-encoded JSON
  • Cryptographic keys and certificates β€” PEM format wraps Base64-encoded binary with -----BEGIN ...----- markers
  • API responses β€” when a JSON API needs to return binary data (icons, thumbnails, raw bytes), Base64 is the common choice

How Base64 Encoding Works

The algorithm processes input in 3-byte (24-bit) chunks:

  1. Take 3 bytes of input (24 bits total)
  2. Split into 4 groups of 6 bits each
  3. Map each 6-bit value to the Base64 alphabet (A = 0, B = 1, … Z = 25, a = 26, … z = 51, 0 = 52, … 9 = 61, + = 62, / = 63)
  4. Output 4 ASCII characters

Every 3 input bytes produce 4 output characters β€” which is why Base64 output is always roughly 33% larger than the original input.

Padding: If the input length is not a multiple of 3, one or two = characters are appended so the output length is always a multiple of 4. The decoder uses these to know how many bytes the final group represents.

Example β€” encoding "Man" (ASCII 77, 97, 110):

Binary:         01001101  01100001  01101110
6-bit groups:   010011  010110  000101  101110
Decimal:        19      22      5       46
Base64 output:  T       W       F       u

The encoded result is TWFu β€” four characters representing three bytes.

Base64 Is Not Encryption

This is the most important thing to understand. Base64 is an encoding, not an encryption. Anyone can decode it instantly, with no key required. It provides zero confidentiality.

Seeing SGVsbG8gV29ybGQ= in a request body or a JWT payload does not mean that data is protected β€” it means the client and server agreed on a text-safe representation of binary. The value decodes to Hello World in under a second.

If you need to protect data, use actual encryption (AES, RSA, or similar). Base64 may appear as the outer wrapper around encrypted bytes, but the security comes from the encryption algorithm, not from the Base64 layer on top.

How to Encode and Decode Base64 Online

Browser JavaScript has built-in Base64 functions: btoa() (binary to ASCII) for encoding and atob() (ASCII to binary) for decoding. Our Base64 Encoder & Decoder uses exactly these native APIs β€” entirely in your browser, with no data ever sent to a server.

This matters when the string you are encoding contains something sensitive: an API key embedded in a config, a token from a debug log, credentials in a request header. Because nothing leaves your machine, you can inspect it safely.

Frequently Asked Questions

Is Base64 the same as URL encoding?

No. URL encoding (percent-encoding) replaces special characters like spaces and slashes with %XX hex sequences. Base64 is a separate scheme for converting binary data to text. There is a related variant called Base64url that replaces + with - and / with _ to make Base64 output safe in URLs β€” this is what JWT tokens use.

Why does Base64 output end with ==?

The = characters are padding. Base64 encodes 3 bytes at a time. If the input length is not divisible by 3, one or two = signs are added so the output length is always a multiple of 4. One = means one padding byte; == means two.

Can I use Base64 to secure passwords or sensitive data?

No. Base64 is trivially reversible and provides no security at all. To store passwords safely, use a proper hashing function like bcrypt, argon2, or scrypt. To protect data in transit, use TLS. Base64 is only for encoding, never for security.

How much larger does Base64 make my data?

Roughly 33% larger. Every 3 bytes of input become 4 characters of output. A 1 MB binary file becomes approximately 1.33 MB when Base64-encoded. For this reason, embedding very large files as data URIs can noticeably increase page weight.

Base64 is a foundational encoding that every developer encounters sooner or later. Understanding that it is a representation scheme β€” not a security mechanism β€” prevents common mistakes in logging, API design, and data handling. When you need to inspect, encode, or decode a Base64 string, our Base64 Encoder & Decoder handles it entirely in your browser, with no data ever sent to a server.