July 13, 2026
Base64 Encoding Explained: What It Actually Does and When to Use It
Base64 is one of those things developers use constantly without necessarily knowing what it's actually doing under the hood — and that gap causes real confusion, like assuming it's a form of encryption (it isn't) or being surprised the encoded output is always longer than the input (it's supposed to be).
What Base64 actually is
Base64 is a way to represent binary data using only 64 printable ASCII characters (A-Z, a-z, 0-9, +, /). It exists because a lot of older systems — email protocols, some text-based APIs, URLs — were only designed to safely handle plain text, not arbitrary binary bytes. Base64 repackages binary data into pure text so it can travel through those systems intact.
It is not encryption
This is the single most common misunderstanding. Base64 is an encoding, not a cipher — there's no secret key, and anyone can decode it back to the original data instantly, with zero special knowledge required. If you see a password or token "protected" by Base64 alone, it is not protected at all; it just looks unreadable at a glance.
Why the output is always ~33% longer
Base64 encodes every 3 bytes of input as 4 characters of output. That fixed ratio is why encoded text is reliably about a third larger than the original — it's not a bug or inefficiency, it's just the mechanical cost of using only 64 safe characters instead of the full 256 possible byte values.
Where you'll actually run into it
- Data URLs — embedding a small image directly inside CSS or HTML as text (data:image/png;base64,...)
- JWT tokens — the header and payload segments of a JWT are Base64URL-encoded JSON
- Email attachments — MIME encodes binary attachments as Base64 to travel safely through text-based email protocols
- Basic Auth headers — HTTP's Authorization: Basic header Base64-encodes a username:password pair (again: encoding, not protection — always pair with HTTPS)
Want to try this yourself?
Open Base64 Encoder / Decoder →