What Is Base64?
Base64 is a binary-to-text encoding scheme that represents binary data as ASCII characters. It converts every 3 bytes of input into 4 printable characters from a 64-character alphabet:
AβZ (26)
aβz (26)
0β9 (10)
+ (1)
/ (1)
= (padding)
The result is about 33% larger than the original but is guaranteed to be safe to transmit through any system that handles text.
How Encoding Works
Base64 processes input 3 bytes at a time, converting each group into 4 characters:
Input: M a n
Binary: 01001101 01100001 01101110
Groups: 010011 010110 000101 101110
Decimal: 19 22 5 46
Output: T W F u
If the input length isn't a multiple of 3, = padding is added:
- 1 leftover byte β 2 Base64 chars +
== - 2 leftover bytes β 3 Base64 chars +
=
Base64 vs Base64URL
Standard Base64 uses + and /, which have special meaning in URLs. Base64URL replaces them:
| Standard Base64 | Base64URL |
|---|---|
+ | - |
/ | _ |
= (padding) | omitted |
Base64URL is used in JWTs, URL-safe identifiers, and any context where the encoded string appears in a URL or HTTP header.
// Standard Base64
btoa("hello+world") // "aGVsbG8rd29ybGQ="
// Base64URL (manual conversion)
btoa("hello+world")
.replace(/\+/g, "-")
.replace(/\//g, "_")
.replace(/=+$/, "")
When to Use Base64
β Good use cases
Embedding binary in text protocols:
<!-- Inline image in HTML/CSS -->
<img src="data:image/png;base64,iVBORw0KGgo...">
Storing binary data in JSON:
{
"avatar": "data:image/jpeg;base64,/9j/4AAQSkZJRgAB..."
}
HTTP Basic Authentication:
Authorization: Basic dXNlcjpwYXNzd29yZA==
(This is user:password Base64-encoded β note: not encrypted, just encoded)
Email attachments (MIME): Email was originally ASCII-only. Base64 encodes binary attachments so they survive SMTP transport.
Environment variables with special characters:
export DB_CONFIG=$(echo '{"host":"db","pass":"p@$$!"}' | base64)
β Wrong use cases
"Securing" data: Base64 is trivially reversible β it's not encryption or obfuscation. Never use it to hide passwords or sensitive data.
Optimizing storage: The 33% overhead makes Base64 a bad fit for large binary blobs in databases. Use a blob/bytea column instead.
Hiding credentials in code: Base64-encoded credentials in source code are just as exposed as plaintext.
Base64 in Different Languages
JavaScript (browser and Node.js)
// Browser
const encoded = btoa("Hello, World!"); // "SGVsbG8sIFdvcmxkIQ=="
const decoded = atob("SGVsbG8sIFdvcmxkIQ=="); // "Hello, World!"
// Node.js (Buffer)
const encoded = Buffer.from("Hello, World!").toString("base64");
const decoded = Buffer.from(encoded, "base64").toString("utf8");
// Binary data
const imageBuffer = fs.readFileSync("image.png");
const dataUrl = `data:image/png;base64,${imageBuffer.toString("base64")}`;
Python
import base64
encoded = base64.b64encode(b"Hello, World!") # b'SGVsbG8sIFdvcmxkIQ=='
decoded = base64.b64decode("SGVsbG8sIFdvcmxkIQ==") # b'Hello, World!'
# URL-safe variant
url_safe = base64.urlsafe_b64encode(b"Hello, World!")
decoded = base64.urlsafe_b64decode(url_safe)
Go
import "encoding/base64"
encoded := base64.StdEncoding.EncodeToString([]byte("Hello, World!"))
decoded, _ := base64.StdEncoding.DecodeString(encoded)
// URL-safe
encodedURL := base64.URLEncoding.EncodeToString(data)
Detecting Base64 in the Wild
A quick heuristic: if a string contains only [A-Za-z0-9+/=] (or [A-Za-z0-9_\-] for URL-safe), has length divisible by 4 (after padding), and decodes to valid UTF-8 or valid binary β it's probably Base64.
The regex pattern:
^[A-Za-z0-9+/]*={0,2}$
Data URIs
Data URIs let you embed binary files directly in HTML/CSS without a separate HTTP request:
.icon {
background-image: url("data:image/svg+xml;base64,PHN2Zy...");
}
This trades network requests for larger HTML/CSS size. Good for small, critical assets (logos, small icons); bad for anything over a few kilobytes since it can't be cached separately.
Try It: ToolNinja Base64 Encoder
Encode or decode any text or file instantly with the ToolNinja Base64 Encoder. Supports both standard and URL-safe variants, handles binary file uploads, and runs entirely in your browser.