Base64 Encoding Explained Simply (With Real Examples)
Base64 is one of those terms that shows up constantly in development — in data URIs, API tokens, email attachments and config files — yet rarely gets explained clearly. Here's a plain-language tour of what it is and why it matters.
The problem Base64 solves
Computers store everything — images, files, text — as binary data: raw bytes. But many systems were built to handle only plain text, and specifically a limited set of safe characters. Email, URLs and JSON can all choke on raw binary bytes. So we needed a way to represent any binary data using only safe, printable text characters. That's exactly what Base64 does.
How it works, briefly
Base64 takes binary data three bytes at a time and re-slices those 24 bits into four groups of 6 bits. Each 6-bit group maps to one of 64 safe characters: A–Z, a–z, 0–9, plus + and /. When the data doesn't divide evenly, one or two = characters are added as padding. The result is text that can travel safely through any text-only channel.
One trade-off: the encoded version is about 33% larger than the original, because you're using four characters to represent every three bytes.
A quick example
The word Hello becomes SGVsbG8= in Base64. Decode it and you get Hello back, exactly. It's completely reversible — which is the key to understanding its biggest misconception.
The most important point: Base64 is not encryption
Because Base64 looks like scrambled gibberish, people sometimes assume it hides information. It does not. There's no key and no secret — anyone can decode a Base64 string in seconds. Never use it to "protect" passwords, tokens or personal data. For genuine confidentiality you need real encryption, such as AES. Think of Base64 as a way to transport data safely, not to secure it.
Where you'll actually see it
- Data URIs: small images embedded directly in HTML or CSS as
data:image/png;base64,.... - Email attachments: the MIME standard uses Base64 to send files through a text-based system.
- HTTP Basic Auth: credentials are Base64-encoded in the
Authorizationheader (which is exactly why that header must always be sent over HTTPS). - JWTs: JSON Web Tokens are made of Base64-encoded segments.
- APIs: binary payloads are often Base64-encoded to fit inside JSON.
Try it yourself
The best way to understand Base64 is to watch it work. Type some text into our free Base64 encoder and decoder, encode it, then decode it back — all in your browser, with full Unicode support so even emoji round-trip correctly.