If you have ever seen a string that looks like SGVsbG8gV29ybGQ= and wondered what it was, that is Base64. It is one of the most widely used encoding schemes in computing, yet most people have never heard of it. Here is what it is, why it exists, and where you encounter it every day.
The Problem Base64 Solves
Computers store everything as binary — sequences of 0s and 1s. Early systems for sending data (like email) were designed only to handle text. They could not safely transmit binary data like images, audio files, or PDFs — these would get corrupted in transit because certain byte values were reserved for control characters or had special meanings to the transmission system.
The solution: encode the binary data using only "safe" printable characters that any text-based system can handle without modification. Base64 is the most widely adopted way to do this.
How Base64 Works
Base64 uses a 64-character alphabet: A–Z (26 letters), a–z (26 letters), 0–9 (10 digits), and + and / (2 special chars). The name "Base64" comes from using 64 possible characters — each character encodes 6 bits of data.
The process:
- Take the binary data in chunks of 3 bytes (24 bits)
- Split each 24-bit chunk into four 6-bit groups
- Map each 6-bit value to one of the 64 characters in the alphabet
- If the original data is not a multiple of 3 bytes, add
=padding at the end
Result: every 3 bytes of input become 4 characters of output. Base64 increases file size by about 33%.
Input: "Hi" → Binary: 01001000 01101001 Split: 010010 000110 1001 Map: S G m (needs padding) Output: "SGm="
The = at the end is padding, not part of the data. It signals that the last chunk was short by 1 or 2 bytes. One = means 1 byte was short; == means 2 bytes were short.
Where You See Base64 Every Day
- Email attachments: When you send a PDF or image by email, your email client encodes it as Base64 and embeds it in the email text. Your recipient's client decodes it. You never see this happen.
- Data URLs in HTML/CSS:
<img src="data:image/png;base64,iVBORw0KGgo...">— small images embedded directly in HTML as Base64 strings, avoiding an extra HTTP request. - JSON Web Tokens (JWT): The header and payload of a JWT are Base64-encoded (using the URL-safe variant). If you paste a JWT into a decoder you will see the raw JSON inside.
- Basic authentication: HTTP Basic Auth sends
username:passwordencoded as Base64 in the request header. (Note: this is encoding, not encryption — do not rely on it for security.) - SSL certificates: PEM-format certificates (the ones that start with
-----BEGIN CERTIFICATE-----) contain Base64-encoded binary certificate data.
Base64 vs. URL-Safe Base64
Standard Base64 uses + and / characters, which have special meanings in URLs. URL-safe Base64 replaces + with - and / with _. This variant is used in JWTs, Google's APIs, and any context where Base64 needs to appear in a URL without being percent-encoded.
Is Base64 Encryption?
No. Base64 is encoding, not encryption. Anyone who has the Base64 string can decode it back to the original data in milliseconds — no key is needed. Do not use Base64 to protect sensitive information. Use it only to make binary data safe for text-based transport. For security, use proper encryption (AES, RSA, etc.).
Encode or decode any Base64 string instantly — with URL-safe mode
Use the Base64 Encoder →Key Takeaways
- Base64 converts binary data into a text-safe string of 64 printable characters
- It adds ~33% overhead (3 input bytes → 4 output characters)
- Used in email attachments, data URLs, JWTs, HTTP auth headers, and SSL certificates
- URL-safe Base64 replaces + and / with - and _ for use in URLs
- Base64 is encoding, NOT encryption — anyone can decode it