What is Base64 encoding?

Last updated April 28, 2026
Short answer
Base64 is a way to take raw binary data (an image, a PDF, a private key) and rewrite it using just 64 ordinary text characters: A-Z, a-z, 0-9, plus "+" and "/". It does not encrypt or compress anything; it just makes the data safe to paste into places that only accept text.

Why we need it

Many old systems were designed to handle text only. Email is the classic example: when the SMTP protocol was invented in the 1980s, it expected 7-bit ASCII. Bytes like 0x80-0xFF would be silently corrupted by some servers along the way. So when you attach a photo to an email, your mail client encodes the photo as Base64 text, which survives the journey intact.

The same problem reappears constantly: JSON cannot directly hold binary data, URLs cannot contain arbitrary bytes, JWT tokens have to fit in an HTTP header, and so on. Base64 is the duct tape that holds the internet together.

How it works

The trick is simple. Binary data is made of bytes (8 bits each). Base64 regroups those bits into chunks of 6, which can each represent 64 different values - exactly the size of the Base64 alphabet. Three bytes (24 bits) become four Base64 characters (24 bits).

That math is why Base64 makes data bigger. A 100 KB image turns into roughly 133 KB of Base64 text. The exact overhead is 33% plus a small amount for padding.

The padding is the trailing = sign you sometimes see. If the input is not a multiple of 3 bytes, Base64 pads with = to keep the output length a multiple of 4. Some applications skip the padding entirely; that is also valid Base64 as long as the decoder agrees.

Variants

VariantAlphabetWhere you see it
StandardA-Z, a-z, 0-9, +, /Email attachments (MIME), most APIs, certificates.
URL-safeA-Z, a-z, 0-9, -, _JWT, URL parameters, file names. Replaces the two characters that would otherwise need URL-encoding.
Base32, Base58, Base85Different alphabetsLess common. Base58 is used by Bitcoin addresses; Base85 by older PostScript.

What Base64 is not

  • Not encryption. Anyone can decode Base64 back to the original bytes in milliseconds. If you see a "password" stored as Base64, it is a plaintext password.
  • Not compression. It makes data bigger, not smaller.
  • Not a checksum. It carries no integrity check. Flip a single bit and you get different, perfectly valid Base64 that decodes to garbage.

Common places you bump into Base64

  • JWT tokens. The three dot-separated chunks (header.payload.signature) are Base64-URL-encoded.
  • Data URIs. The data:image/png;base64,iVBORw0... strings you see in HTML and CSS.
  • Email attachments. Open any email with attachments and look at "View Source" - the file is in there as one long Base64 string.
  • PEM files. SSH keys, X.509 certificates, and TLS keys are Base64-encoded between -----BEGIN ...----- and -----END ...-----.
  • Basic HTTP authentication. Username:password gets Base64-encoded into the Authorization: Basic ... header.
TextLab: Format, Edit & Convert app icon

TextLab: Format, Edit & Convert

Encode and decode Base64, URL, hex, and more on iPhone, iPad, and Mac. Plus JSON, Markdown, regex, and AI text actions. · iPhone, iPad & Mac

Open product page Download on the App Store

Related entries

What is a JWT token?

The signed, Base64-URL-encoded string your auth provider hands out.

Regex cheat sheet

The 20 patterns you actually use, with examples.

TextLab help & FAQ

Setup, workflows, AI actions, and Mac Services integration.