Find a tool
Developer

What Is Base64 Encoding Used For?

Published March 11, 2026 · Updated March 14, 2026 · 4 min read

Base64 is one of those things that appears constantly in developer work — in email headers, data URIs, API payloads, authentication tokens — but rarely gets a clear explanation. It's not encryption. It's not compression. It solves a specific, mundane problem: representing binary data as printable text.

The problem Base64 solves

Binary data — images, audio, compiled code, encrypted payloads — contains every possible byte value (0–255). Many text-based systems were designed to handle only a subset of those values safely. Early email systems (SMTP) were built for 7-bit ASCII text. HTTP headers are supposed to contain only printable ASCII. URLs have a limited set of safe characters.

When binary data travels through these text-oriented systems, bytes outside the safe range cause problems: some systems interpret control bytes as commands, others truncate at null bytes, others corrupt the data by translating line endings. Base64 eliminates these problems by encoding every binary byte as a sequence of printable ASCII characters that no system misinterprets.

How Base64 works

Base64 uses 64 printable characters: A–Z (26), a–z (26), 0–9 (10), +, and /. Every 3 bytes of input (24 bits) become 4 Base64 characters (6 bits each). The output is padded with = to make the length a multiple of 4.

The size cost: Base64 output is 33% larger than the input. A 100-byte file becomes approximately 136 Base64 characters. That's the price of safe transmission through text-only channels.

# Python — encode a string to Base64
import base64
data = b"Hello, world!"
encoded = base64.b64encode(data)
print(encoded)  # b'SGVsbG8sIHdvcmxkIQ=='

# Decode back
decoded = base64.b64decode(encoded)
print(decoded)  # b'Hello, world!'

Where you encounter Base64

Email attachments. MIME encoding uses Base64 to embed binary file content in email. The Content-Transfer-Encoding: base64 header you see in raw email source marks Base64-encoded content. Every file attachment you've ever sent in an email was Base64-encoded in transit.

Data URIs. <img src="data:image/png;base64,iVBORw0KGgo..."> — small images or icons embedded directly in HTML or CSS. The entire image file is Base64-encoded and inlined, eliminating a separate HTTP request for small assets.

HTTP Basic Authentication. The Authorization: Basic dXNlcjpwYXNz header is user:pass encoded in Base64. This is not encryption — the credentials can be decoded instantly. Basic Auth relies on HTTPS for security, not on Base64 being secret.

JSON API payloads with binary data. JSON is text. To include a binary file (an image, a PDF, a cryptographic key) in a JSON request body, Base64-encode it and include the string in the JSON.

JWT tokens and OAuth. The header and payload of a JWT are Base64URL-encoded (a URL-safe variant of Base64). This makes JWTs readable without special tools — decode the middle section and you can read the claims directly.

Base64 is not encryption. Anyone can decode Base64 without a key. It transforms data into a different representation — it doesn't hide it. Using Base64 to "protect" passwords or sensitive data provides no security.

Base64 vs Base64URL

Standard Base64 uses + and /, which have special meaning in URLs. Base64URL replaces them with - and _, and omits the = padding. The result is safe to embed in URLs, HTTP headers, and filenames without percent-encoding. JWTs use Base64URL for this reason.

Related guides
What is Base64URL? → When to use Base64URL instead of Base64 → How Base64URL appears in JWTs →