The one-sentence version
Base64 takes any binary data — a file, an image, a string — and converts it into a string of 64 printable ASCII characters so it can pass through systems that only handle text.
The input Hello encodes to SGVsbG8=. The input is 5 bytes. The output is 8 characters — roughly 33% larger, but now safe to put in an email header, a JSON field, or a URL (with the right variant).
Example
Hello, World!
SGVsbG8sIFdvcmxkIQ==
How the encoding works
Base64 works in three steps. Understanding them explains why the output is always longer than the input, and why you sometimes see = at the end.
Convert input to binary
Each byte of input becomes 8 bits. "Man" → 01001101 01100001 01101110 — three bytes, 24 bits.
Split into 6-bit groups
24 bits ÷ 6 = 4 groups: 010011 010110 000101 101110. Each 6-bit group represents a number from 0 to 63.
Map each number to a character
010011 = 19 = T, 010110 = 22 = W, 000101 = 5 = F, 101110 = 46 = u. "Man" encodes to "TWFu".
The base64 alphabet
Base64 uses exactly 64 characters — hence the name. Each 6-bit value maps to one of these characters:
| Value range | Characters | Binary range |
|---|---|---|
| 0–25 | A–Z | 000000–011001 |
| 26–51 | a–z | 011010–110011 |
| 52–61 | 0–9 | 110100–111101 |
| 62 | + | 111110 |
| 63 | / | 111111 |
The 65th character = is used only for padding — not part of the data.
Why the = padding at the end?
Base64 processes input in 3-byte blocks (24 bits → 4 characters). If the input isn't a multiple of 3 bytes, the last block is short — so padding fills it out to maintain the 4-character output structure.
Padding is required in standard base64 but optional in some contexts — JSON Web Tokens, for example, omit it entirely.
Standard base64 vs URL-safe base64
Standard base64 uses + and / as the last two characters. Both are special characters in URLs, which causes problems when base64 is used in a query string or path.
Standard base64
SGVs+bG8/IFdvcmxk
Uses + and /. Safe for files, emails, and most data transfer. Breaks in URLs.
URL-safe base64
SGVs-bG8_IFdvcmxk
Replaces + with - and / with _. Used in JWTs, OAuth tokens, and URL parameters.
Base64 is not encryption
Base64 is reversible by anyone — no key, no secret, no brute force needed. If you see a base64 string, you can decode it instantly. It provides zero security.
The confusion comes from the output looking scrambled. SGVsbG8= is not a password hash or cipher — it decodes back to Hello in under a millisecond.
base64(username:password). This is trivially decodable. Without HTTPS, those credentials are exposed in plain text to anyone intercepting the traffic. Base64 is transport formatting, not protection.Where you'll actually encounter base64
Embedding images in HTML or CSS
<img src="data:image/png;base64,iVBORw0KGgo…">Avoids a separate HTTP request for small icons or inline assets.
Sending binary in JSON APIs
{ "file": "JVBERi0xLjQKJ…" }JSON is text-only. Base64 lets you include a PDF, image, or audio clip in a JSON response without a multipart form.
SMTP email attachments
Content-Transfer-Encoding: base64Email was designed for 7-bit ASCII. Base64 is the standard encoding that lets you attach Word documents, images, and PDFs.
HTTP Basic Authentication
Authorization: Basic dXNlcjpwYXNzCredentials are sent as base64(username:password). This is encoding, not encryption — HTTPS is still required for security.
JWT tokens
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9…Each segment of a JWT is URL-safe base64. The header and payload are just base64-decoded JSON — not encrypted.
Storing binary data in databases
INSERT INTO files (data) VALUES ('SGVsbG8…')Some databases or ORMs have trouble with raw binary. Base64 stores it as a safe text string.