Base64 Encoding

What it actually does

Base64 takes any sequence of bytes and rewrites them using only 64 safe characters: A–Z, a–z, 0–9, +, and /. The output is plain 7-bit ASCII, which means it can travel through anything that historically choked on raw binary — email bodies, JSON strings, URLs, XML attributes, source code, copy-paste from a chat window. If the input length is not a multiple of three bytes, one or two = characters are added at the end as padding.

The math: three bytes in, four characters out

Three bytes is 24 bits. The encoder slices that 24-bit chunk into four groups of 6 bits, and each 6-bit value (0–63) maps to one character in the Base64 alphabet. So 3 bytes → 4 characters, always. That is where the size cost comes from: Base64 output is roughly 133% the size of the input — about a third bigger, plus a couple of padding characters and any line breaks.

Why it exists at all

Most early internet protocols were 7-bit-clean: they assumed each byte was an ASCII character and would mangle anything with the high bit set, strip control codes, or wrap lines at 80 columns. Sending a binary attachment through SMTP was impossible without a text-safe encoding. RFC 2045 defined Base64 in the MIME spec in 1996 to solve that, and the encoding has stuck around because every textual transport since has inherited the same constraint.

Where you actually see it

• Data URIs — data:image/png;base64,iVBORw0K... inline in CSS or HTML so a small image ships with the page instead of triggering a separate request.
• JSON payloads — JSON has no binary type, so any blob (a file, a public key, a thumbnail) gets serialised as a Base64 string.
• HTTP Basic Auth — Authorization: Basic dXNlcjpwYXNz is just user:pass Base64-encoded. Note: this is not security; it is trivially reversible.
• JWT tokens — header and payload are url-safe Base64 of JSON.
• PEM-formatted keys and certificates — the body between the BEGIN and END lines is Base64 of the underlying DER bytes.

URL-safe Base64

The standard alphabet uses + and /, which have meaning in URLs and filenames. The url-safe variant (RFC 4648 §5) swaps those for - and _, and often drops the padding = as well. JWTs, OAuth tokens, and most modern web APIs use this variant.

It is not encryption

Worth saying loudly because people get this wrong all the time. Base64 has no key. Anyone who can read the encoded string can decode it back to the original bytes in a single step. If you Base64-encode a password before storing it, you have stored the password. Use it for transport and embedding, never as a security layer.

Toolkiya has a browser-only Base64 encoder/decoder and a dedicated image-to-Base64 converter for data URIs. Everything runs locally — your files are never uploaded.