What Is Base64 Encoding and Why Does It Exist?

Updated on January 5, 2026

Let me tell you a weird little story about the internet's plumbing.

Somewhere right now, your browser is downloading an image embedded inside a CSS file. A mobile app is sending a photo to a server. An email client is attaching a PDF. And in all three of these situations, something quietly strange is happening underneath — binary data is being dressed up in a costume made of letters and numbers so it can travel safely through systems that weren't designed to handle raw bytes.

That costume? It's called Base64 encoding.

Okay, But What Even Is "Binary Data"?

Everything on your computer — images, videos, audio files, PDF documents — is stored as a sequence of bytes. A byte is just eight 1s and 0s. So a small icon might be tens of thousands of these bytes all strung together.

The thing is, bytes can represent values from 0 to 255. Many of those values have perfectly normal meanings in text — like 65 means "A" and 98 means "b". But plenty of others represent control characters: invisible instructions that tell terminals to do things like "ring a bell," "clear the screen," or "end the transmission."

Here's where the trouble starts. Protocols like email (SMTP) and older HTTP systems were originally designed to carry plain text — specifically ASCII text. When raw binary data (full of those control characters and unpredictable byte sequences) gets shoved through a text-only pipe, stuff breaks. Characters get mangled. Transmission ends prematurely. Files arrive corrupted.

It's like trying to mail a glass sculpture using a letterbox slot. The slot only handles flat envelopes. You need to describe the sculpture using words and pictures on paper — so it can travel safely through the same slot — and then the person on the other end reassembles the original object.

Base64 is that description-on-paper.

The "64" Part Actually Means Something

Here's the clever bit. Instead of using all 256 possible byte values, Base64 only uses 64 specific characters: the 26 uppercase letters (A–Z), the 26 lowercase letters (a–z), the digits 0–9, and two extras — usually + and /. A padding character = sometimes shows up at the end too.

Why 64? Because 64 characters can be represented by exactly 6 bits (2⁶ = 64). And here's the math trick: instead of encoding one byte (8 bits) at a time, Base64 takes three bytes (24 bits total) and splits them into four groups of 6 bits each. Each group maps to one of those 64 safe characters.

So three bytes become four printable ASCII characters. That's the whole mechanism. Nothing magic — just regrouping bits and looking up characters in a table.

The trade-off is size. You take 3 bytes and turn them into 4 characters, which means the encoded output is about 33% larger than the original. Annoying, but usually worth it when the alternative is corrupted data.

A Tiny Example (Promise It Won't Hurt)

Take the word Man. Three characters, three bytes:

  • M = 77 = 01001101
  • a = 97 = 01100001
  • n = 110 = 01101110

Stack those 24 bits together: 010011010110000101101110

Split into 6-bit chunks: 010011 010110 000101 101110

That gives us values 19, 22, 5, 46. Look those up in the Base64 alphabet table and you get: T, W, F, u.

So Man in Base64 is TWFu. You can verify this right now in your browser console: btoa("Man"). Go ahead, try it.

Where You Run Into Base64 Every Single Day

You interact with Base64 constantly, you just don't usually see it. Here are the places it's quietly doing its job:

Email Attachments

This is where Base64 was born, essentially. The MIME standard (which defines how emails carry attachments) uses Base64 to encode images, PDFs, and other files. When Gmail shows you an attached photo, it's already decoded it from Base64 behind the scenes. Your uncle's JPEG cat photo traveled through email infrastructure as a wall of alphanumeric text and arrived as pixels.

Images Embedded in Web Pages

Open any website, right-click an image, and inspect the source. Sometimes instead of a URL pointing to a file, you'll see something like:

src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAA..."

That's a Base64-encoded image baked directly into the HTML or CSS. Small icons and logos are sometimes embedded this way to eliminate an extra HTTP request. The browser decodes it on the fly and renders the image normally.

JSON Web Tokens (JWTs)

If you've ever logged into a modern web app, there's a good chance your session is tracked with a JWT. These tokens have three parts separated by dots, and each part is Base64-encoded (technically a variant called Base64url). You can paste a JWT into jwt.io and instantly see the decoded contents — it's not encryption, just encoding. Important difference, which we'll get to.

Basic HTTP Authentication

When a website pops up a browser login dialog (the old-school kind, not a custom form), your username and password get joined with a colon and then Base64-encoded before being sent in the request header. Again — not encrypted, just encoded. Which is why Basic Auth over plain HTTP is considered insecure.

Storing Small Files in Databases

Sometimes developers store images or small binary files directly in a database as text. Base64 lets you drop a binary blob into a text column without worrying about encoding issues or null bytes confusing string handling.

API Responses and Webhooks

Many APIs return binary content — QR codes, generated PDFs, audio snippets — as Base64-encoded strings inside a JSON response. It's just easier than setting up a separate file-serving endpoint for a one-off binary result.

The One Thing People Get Wrong: Encoding vs. Encryption

This trips up a lot of beginners (and honestly, some people who should know better).

Base64 is not encryption. It's not even a little bit secure. It's completely reversible by anyone with access to the data and a Base64 decoder — which is every computer on the planet. There's no key, no secret, no protection.

Encoding is about format — making data safe to transmit through a particular channel. Encryption is about confidentiality — making data unreadable without a secret key.

Think of encoding like translating English into Morse code. Anyone who knows Morse code can read your message instantly. Encryption is more like locking the message in a safe — even if someone intercepts the safe, they can't open it without the combination.

Never use Base64 to "protect" sensitive data. It provides zero security.

Quick Note: Base64 Variants Exist

You might see slightly different flavors depending on context:

  • Standard Base64 uses + and / as the last two characters.
  • Base64url replaces + with - and / with _, making the output safe to use in URLs without percent-encoding. JWTs use this variant.
  • MIME Base64 inserts line breaks every 76 characters for email formatting compliance.

They're all doing the same underlying encoding — just tweaking which characters fill the last couple slots.

How to Encode and Decode It Yourself

You don't need to install anything:

In a browser console:

btoa("hello world")   // encode → "aGVsbG8gd29ybGQ="
atob("aGVsbG8gd29ybGQ=")  // decode → "hello world"

In a terminal (macOS/Linux):

echo -n "hello world" | base64          # encode
echo "aGVsbG8gd29ybGQ=" | base64 -d    # decode

In Python:

import base64
base64.b64encode(b"hello world")   # b'aGVsbG8gd29ybGQ='
base64.b64decode("aGVsbG8gd29ybGQ=")  # b'hello world'

The Bigger Picture

Base64 exists because the internet is built in layers, and not all layers were designed with the same assumptions. Text protocols assumed text. Binary data has always had to find creative ways to squeeze through those assumptions.

Modern systems have gotten better at handling raw bytes — HTTP/2, for instance, is a binary protocol from the ground up. But Base64 isn't going anywhere because so much infrastructure was built around text, and compatibility matters enormously on the internet.

Next time you see a wall of seemingly random letters and numbers ending in = or ==, you'll know exactly what you're looking at: binary data wearing its ASCII costume, waiting patiently to be decoded on the other side.

It's not magic. It's just a very practical trick that's been quietly making the web work since before most of us were online.