What Is Base64 Encoding?

Input bytes split into 6-bit groups, each mapped to one of 64 characters. Three bytes (24 bits) become four Base64 characters. Remainder bytes get padding with one or two `=` signs so decoders restore original length.

Decoding reverses the mapping, reconstructing binary from character sequence. Invalid characters or incorrect padding produce decode errors in strict libraries—use validated test vectors when implementing pipelines.

Data URLs in HTML/CSS: `data:image/png;base64,...` embeds small icons without separate HTTP requests. JSON APIs carry file uploads as Base64 strings when multipart form is unavailable.

Basic authentication headers encode `username:password` (prefer OAuth in production). Email MIME encodes attachments. Some databases store binary columns as Base64 in export dumps—convenience, not compression.

Standard Base64 uses `+` and `/`, which need URL encoding in query parameters. URL-safe variant replaces with `-` and `_`, often omitting padding in JWT and cookie contexts per spec.

Mixing variants breaks decode. Document which alphabet your API expects; convert before placing Base64 in URL paths or query values alongside percent-encoding rules.

Base64 is reversible encoding with public algorithms—do not store secrets 'protected' by Base64 alone. Combine TLS in transit, proper encryption at rest, and secret management for credentials.

Developers sometimes Base64-wrap already-encrypted bytes for transport—that is fine if encryption happened first. Order matters: encrypt then encode for wire format; decode then decrypt on receipt.

33% overhead plus decode CPU makes Base64 poor for large media at scale—prefer binary multipart uploads, object storage signed URLs, or dedicated CDN paths for big assets.

For small inline assets and config snippets, overhead is negligible. gzip then Base64 rarely helps text JSON; binary compression before Base64 can help email size limits on attachments.