Blog

What Is Base64? History, How It Works & Uses

Learn what Base64 encoding is, where it came from, how the 3-byte-to-4-character process works, and when to use it.

Base64 in one sentence

Base64 is a binary-to-text encoding: it turns any sequence of bytes into a string built from a small, widely safe alphabet. It does not understand whether those bytes describe a photo, a PDF, or the word “hello”; it simply gives them a text-shaped travelling case.

That makes Base64 useful whenever binary data must pass through a system designed around text. The transformation is reversible and lossless, but it is not encryption, hashing, or compression.

Where Base64 came from

Early network and email systems were not reliably “8-bit clean”. Arbitrary byte values could be altered by gateways that expected short lines of printable 7-bit text. Earlier binary-to-text schemes such as uuencode addressed the same transport problem; the direct lineage of modern Base64 includes the 64-character printable encoding specified for Privacy-Enhanced Mail in RFC 1421.

MIME later named Base64 as a Content-Transfer-Encoding for email bodies and attachments. RFC 4648, published in 2006, is today’s general reference for the standard and URL-safe alphabets. So Base64 grew through interoperable standards rather than arriving as one person’s isolated invention.

Why 64 characters—and how the 3-to-4 rule works

Six bits can represent exactly 64 values, from 0 to 63. Standard Base64 maps those values to A–Z, a–z, 0–9, +, and /. The encoder reads three input bytes at a time: 3 × 8 bits gives 24 bits. It redraws the boundaries as four groups of 6 bits, uses each group as an index into the alphabet, and emits four characters.

For example, the three ASCII/UTF-8 bytes for “Man” form four indexes: 19, 22, 5, and 46. Those positions map to T, W, F, and u, so the result is TWFu. Decoding walks the same path backward.

The word “Man” shows one complete 24-bit block—no padding required.
Input
Man
Input bytes
01001101 01100001 01101110
6-bit groups
010011 010110 000101 101110
Alphabet indexes
19 · 22 · 5 · 46
Base64 output
TWFu

Padding, Unicode, and Base64url

If the final block contains only one input byte, the encoder produces two data characters followed by ==. Two input bytes produce three data characters followed by =. These padding marks are not encrypted data; they tell a decoder how much of the last 24-bit block was real. Some protocols omit padding when the byte length is otherwise known.

Base64 operates on bytes, not abstract characters. Text such as 中文 or emoji must first become bytes—normally UTF-8—and those bytes are then encoded. For URLs and filenames, base64url replaces + and / with - and _. Treat it as a related alphabet, not as permission to swap variants silently.

Where Base64 is genuinely useful

Classic uses include MIME email attachments, PEM certificate or key blocks, and data: URLs that embed small images or fonts in HTML and CSS. Text-only formats such as JSON or XML sometimes carry small binary payloads as Base64 strings. HTTP Basic credentials use Base64, and JWT segments use the URL-safe variant; neither use turns the content into a secret.

The common thread is compatibility: the surrounding channel wants text, while the payload is bytes. If a protocol already transports binary safely—an image upload, object storage, or a database BLOB—adding Base64 may solve no problem.

The size and performance cost

Every complete three-byte block becomes four output characters. The exact encoded length is 4 × ceil(n / 3), so the overhead approaches 33.3% for large inputs and can be higher for tiny ones. Line wrapping or a data-URL prefix adds a little more.

Compression at another layer may reduce the amount sent over the wire, but encoding still consumes memory and CPU and makes large values awkward to inspect. For substantial files, direct binary transfer is usually the cleaner design.

What Base64 does not do

Base64 offers no confidentiality or authenticity: anyone can decode it without a key, and an attacker can alter it. Do not use it to “protect” passwords, API tokens, or personal data. Use encryption and authenticated transport such as TLS when secrecy matters, a cryptographic hash when you need a digest, and a digital signature or MAC when you need tamper detection.

A good rule of thumb is cheerful and strict: use Base64 to cross a text boundary, not a security boundary.

Technical sources