Base64 encoding is one of those tools that developers encounter regularly but do not always use correctly. It is commonly misunderstood as providing security (it does not), and commonly over-used for images where it hurts performance. This guide covers exactly what Base64 is for, when it is the right choice, and the important trade-offs involved.
How Base64 Works
Base64 converts binary data — any sequence of bytes — into a string of 64 printable ASCII characters: uppercase and lowercase letters, digits 0–9, plus (+), and slash (/). The padding character = is added to make the output length a multiple of 4.
The encoding works in groups of 3 bytes: each group of 3 bytes (24 bits) is split into 4 groups of 6 bits, and each 6-bit value maps to one of the 64 characters. This is why Base64 output is always exactly 4/3 the size of the input — approximately 33% larger.
// JavaScript
btoa('Hello') // → 'SGVsbG8='
atob('SGVsbG8=') // → 'Hello'
// For binary data (Node.js)
Buffer.from(binaryData).toString('base64')
Buffer.from(base64String, 'base64')
When to Use Base64 — Good Use Cases
- Embedding small images in CSS or HTML (data URIs):
background-image: url('data:image/svg+xml;base64,...')— eliminates an HTTP request for tiny assets. Only worthwhile for images under 2–4KB. - Email attachments (MIME): Email protocols are text-based. Attachments are Base64 encoded so binary files can be safely transmitted through text-only email infrastructure.
- Storing binary data in JSON or XML: JSON cannot represent raw binary. Base64 lets you embed images, PDFs, or certificates in JSON API responses.
- HTTP Basic Authentication: Credentials are sent as
Authorization: Basic {base64(username:password)}— a standard protocol requirement, not a security feature. - JWT tokens: The header and payload sections of JWTs are Base64URL encoded (a URL-safe variant) to be safely transmitted in HTTP headers and URLs.
- Encoding certificates and keys: TLS/SSL certificates are distributed in PEM format — Base64 encoded DER certificates wrapped in
-----BEGIN CERTIFICATE-----delimiters. - Inline SVG icons in CSS: Small SVG files can be Base64 encoded and used as CSS background images to reduce HTTP requests.
When NOT to Use Base64 — Bad Use Cases
- Large images (over 4KB): The 33% size penalty and inability for browsers to cache Base64-embedded images independently make this a net performance loss.
- As security: Base64 is instantly decodable without any key. Never rely on Base64 to protect sensitive data. Use encryption.
- Password storage: Base64-encoded passwords are trivially recoverable. Use bcrypt, Argon2, or scrypt for password hashing.
- Compressing data: Base64 makes data larger, not smaller. If you need compression, use gzip, Brotli, or deflate — then optionally Base64 the compressed bytes if needed for transport.
Base64 vs Base64URL
| Standard Base64 | Base64URL | |
|---|---|---|
| Character 62 | + | - |
| Character 63 | / | _ |
| URL safe | No (+ and / need encoding) | Yes |
| Used in | Email, MIME, certificates | JWTs, OAuth, URL params |
Size Overhead Reference
| Original size | Base64 size | Overhead |
|---|---|---|
| 1 KB | ~1.37 KB | +33% |
| 10 KB | ~13.7 KB | +33% |
| 100 KB | ~137 KB | +33% |
| 1 MB | ~1.37 MB | +33% |