Base64 Encoding and Decoding: Developer Guide

Base64 takes every 3 bytes (24 bits) of input and splits them into 4 groups of 6 bits. Each 6-bit group maps to one of 64 characters: A-Z (0-25), a-z (26-51), 0-9 (52-61), + (62), and / (63). If the input length is not a multiple of 3, padding characters (=) are appended to fill the final group.

This encoding expands data by approximately 33% — 3 bytes become 4 characters. The trade-off is worthwhile when the transport layer only supports text (HTTP headers, JSON values, XML content, email bodies) and cannot handle raw binary data safely.

Data URIs embed small files directly in HTML or CSS: an image becomes src='data:image/png;base64,...' which eliminates an HTTP request at the cost of a larger HTML document. This is useful for icons under 2-3 KB where the encoding overhead is smaller than the round-trip latency of a separate request.

API payloads frequently use Base64 to embed binary content (images, documents, certificates) inside JSON request or response bodies. JWT tokens encode their header and payload sections as Base64url (a URL-safe variant that replaces + with - and / with _).

Email attachments are Base64-encoded per the MIME standard because SMTP only supports 7-bit ASCII text. Every email attachment you have ever sent was Base64-encoded behind the scenes.

Standard Base64 uses + and / which are special characters in URLs and filenames. Base64url replaces them with - and _ respectively, and omits padding (=). Always use Base64url for URL parameters, filenames, and JWT tokens.

Use the Base64 Encoder to encode and decode both standard and URL-safe variants. Paste any text or upload a file to see the encoded output instantly.

Do not use Base64 for encryption or security — it is an encoding, not a cipher. Anyone can decode Base64 without a key. For actual encryption, use AES.

Avoid Base64-encoding large files for data URIs. Images over 5 KB are better served as separate files because the 33% size increase outweighs the saved HTTP request. The encoding also prevents browser caching of the embedded resource.

When decoding, ensure you use the matching variant. Decoding a Base64url string with a standard decoder (or vice versa) produces garbled output because + / - _ map to different values.