Base64 Encoding Explained: What It Is, Why It Exists, and When to Use It
Source: Dev.to
Base64 encoding is one of those things that appears everywhere — in JWT tokens, in email attachments, in data URIs, in HTTP Basic Auth headers — but is rarely explained clearly. Here is a practical guide to what it is, why it was invented, and when you should and should not use it. Base64 is an encoding scheme that converts binary data (bytes) into a string of 64 printable ASCII characters. Those 64 characters are: A–Z (26), a–z (26), 0–9 (10), + and / (2) — plus = used as padding. The core problem Base64 solves: not all data transfer systems handle arbitrary bytes safely. Email protocols, HTTP headers, and many older systems were designed to carry text, not binary data. A byte value of 0x00 (null), 0x0A (newline), or 0x1B (escape) can corrupt or terminate a text-based transmission. Base64 sidesteps this by encoding any binary data as a string of safe, printable characters that nothing misinterprets. The algorithm is straightforward: Take the input bytes in groups of 3 Each group of 3 bytes (24 bits) becomes 4 Base64 characters (6 bits each) If the input isn’t divisible by 3, pad with = characters to make the output a multiple of 4 That 4:3 ratio explains why Base64 output is always ~33% larger than the input. Example: the string hello (5 bytes) encodes to aGVsbG8= (8 characters). JWT tokens — JSON Web Tokens are three Base64url-encoded sections (header, payload, signature) joined by dots. The token eyJhbGciOiJIUzI1NiJ9.eyJ1c2VyIjoiYWxleCJ9.xyz is Base64-decodable — you can read the header and payload without a key. This is intentional: JWT is encoded, not encrypted. HTTP Basic Authentication — the Authorization header for Basic Auth is Basic . For example, admin:password encodes to YWRtaW46cGFzc3dvcmQ=. This is why Basic Auth must only be used over HTTPS — anyone who sees the header can decode it instantly. Email attachments (MIME) — email protocols were designed for ASCII text. Attachments (PDFs, images, archives) are Base64-encoded within the email body using MIME multipart format. This is why email files are larger than the attachments they contain. Data URIs — you can embed an image directly in HTML or CSS without a separate file request: . Useful for small icons and SVGs to eliminate HTTP round trips. API payloads — some APIs use Base64 to transmit binary data (images, audio) as a JSON string field rather than as a separate binary upload. JavaScript (browser): btoa(“hello”) // → “aGVsbG8=” atob(“aGVsbG8=”) // → “hello”
JavaScript (Node.js): Buffer.from(“hello”).toString(“base64”) // encode Buffer.from(“aGVsbG8=”, “base64”).toString() // decode
Python: import base64 base64.b64encode(b”hello”) # → b’aGVsbG8=’ base64.b64decode(“aGVsbG8=”) # → b’hello’
PHP: base64_encode(“hello”); // “aGVsbG8=” base64_decode(“aGVsbG8=”); // “hello”
Command line: echo -n “hello” | base64 # encode echo “aGVsbG8=” | base64 —decode # decode
Standard Base64 uses + and /, which have special meaning in URLs. For tokens used in URLs (OAuth codes, JWT in URL parameters, signed URLs), use URL-safe Base64, which replaces + with - and / with _. Most languages have dedicated URL-safe Base64 functions: Python: base64.urlsafe_b64encode()
Ruby: Base64.urlsafe_encode64()
Go: base64.URLEncoding
What Base64 Is Not
Not encryption. Base64 is trivially reversible — it’s encoding, not encryption. Never use Base64 to “hide” sensitive data. Use AES-256 or a proper encryption library. Not compression. Base64 output is 33% larger than the input. It does not compress data; it expands it. Not hashing. Unlike SHA-256 or bcrypt, Base64 is reversible. It is not suitable for storing passwords or creating one-way digests. For one-off encoding and decoding — pasting a JWT to inspect its payload, encoding credentials for an API header, or converting an image to a data URI — the SnappyTools Base64 Encoder / Decoder handles it in-browser with no data sent to any server. Base64 is a simple, well-understood tool with a specific purpose: safely transmitting binary data through text-only channels. Knowing when it applies — and when it doesn’t — is a fundamental part of working with web APIs and data formats.