Development

Base64 Encoding Explained Simply (With Real Examples)

February 16, 2026 5 min read

Base64 is one of those terms that shows up constantly in development — in data URIs, API tokens, email attachments and config files — yet rarely gets explained clearly. Here's a plain-language tour of what it is and why it matters.

The problem Base64 solves

Computers store everything — images, files, text — as binary data: raw bytes. But many systems were built to handle only plain text, and specifically a limited set of safe characters. Email, URLs and JSON can all choke on raw binary bytes. So we needed a way to represent any binary data using only safe, printable text characters. That's exactly what Base64 does.

How it works, briefly

Base64 takes binary data three bytes at a time and re-slices those 24 bits into four groups of 6 bits. Each 6-bit group maps to one of 64 safe characters: A–Z, a–z, 0–9, plus + and /. When the data doesn't divide evenly, one or two = characters are added as padding. The result is text that can travel safely through any text-only channel.

One trade-off: the encoded version is about 33% larger than the original, because you're using four characters to represent every three bytes.

A quick example

The word Hello becomes SGVsbG8= in Base64. Decode it and you get Hello back, exactly. It's completely reversible — which is the key to understanding its biggest misconception.

The most important point: Base64 is not encryption

Because Base64 looks like scrambled gibberish, people sometimes assume it hides information. It does not. There's no key and no secret — anyone can decode a Base64 string in seconds. Never use it to "protect" passwords, tokens or personal data. For genuine confidentiality you need real encryption, such as AES. Think of Base64 as a way to transport data safely, not to secure it.

Where you'll actually see it

  • Data URIs: small images embedded directly in HTML or CSS as data:image/png;base64,....
  • Email attachments: the MIME standard uses Base64 to send files through a text-based system.
  • HTTP Basic Auth: credentials are Base64-encoded in the Authorization header (which is exactly why that header must always be sent over HTTPS).
  • JWTs: JSON Web Tokens are made of Base64-encoded segments.
  • APIs: binary payloads are often Base64-encoded to fit inside JSON.

Try it yourself

The best way to understand Base64 is to watch it work. Type some text into our free Base64 encoder and decoder, encode it, then decode it back — all in your browser, with full Unicode support so even emoji round-trip correctly.