You have seen Base64 a hundred times. The little block of gibberish at the top of an email attachment. The huge line inside a data:image URL. The token in a Basic Auth header. Most developers who copy-paste it every week could not, if asked at a coffee, explain what it is or why it's there. This post is that explanation, at a coffee.
What Base64 actually does
Computers store everything as bytes — numbers from 0 to 255. Some of those numbers happen to be printable text characters ("A" is 65, "a" is 97, space is 32). Most of them aren't. When you need to move raw bytes through a channel that was designed for text — an email body, a JSON string, a URL — the non-printable bytes cause trouble. They get stripped, corrupted, or interpreted as control characters.
Base64 is the workaround. It takes any pile of bytes and rewrites it using only 64 safe characters (A–Z, a–z, 0–9, plus + and /). The output is longer — about 33% bigger than the input — but it survives every text-only channel unchanged. It is, in the most literal sense, packing tape for bytes: uglier than the thing inside, but the thing arrives intact.
The math, briefly
Base64 works by grouping the input into blocks of 3 bytes (24 bits), then slicing those 24 bits into four 6-bit chunks. 6 bits gives you 64 possible values — which is exactly the size of the Base64 alphabet, and where the name comes from. Each 6-bit chunk becomes one output character. If the input isn't a multiple of 3 bytes, the encoder pads with = characters at the end. That's why Base64 strings often end in = or ==.
This is entirely reversible. "Decoding" is the same trick backwards. There is no compression, no encryption, no cleverness — just a different alphabet. Anyone who intercepts a Base64 string can decode it in one line of code. It is not a security mechanism, and treating it as one is one of the most common junior-dev mistakes.
When Base64 is the right choice
Embedding a small image directly in HTML or CSS with a data: URL, so the browser doesn't have to make a second request. Sending a binary file inside a JSON API where the surrounding structure is text. Storing a small binary blob (a signature, a certificate, an icon) inside an XML config file. Passing a token in an HTTP header, where the header value must be printable ASCII. All of these are legitimate.
When Base64 is the wrong choice
Large files. The 33% size overhead is negligible on a 2 KB icon and painful on a 20 MB video. Anything above a few hundred KB should be transferred as raw bytes with a proper Content-Type, not as a Base64 string.
Anywhere that thinks it's a password. Base64-ing a password before storing it is worse than useless — it's obfuscation that looks like security, so the reviewer stops thinking. Password hashing is a completely different operation (bcrypt / argon2, salted, slow on purpose).
Inside URL paths without the URL-safe alphabet. Standard Base64 uses + and / which have special meaning in URLs. If you're putting Base64 in a URL, use the URL-safe variant, which swaps them for - and _.
The Basic Auth footnote everyone forgets
HTTP Basic Authentication is the archetypal Base64 mistake in disguise. "Authorization: Basic dXNlcjpwYXNz" looks encrypted. It is not. The base64-decoded content is literally "user:pass". Basic Auth is only safe over HTTPS, because HTTPS is what actually encrypts the header. Sending Basic Auth over plain HTTP is the same as sending the password in plaintext. This trips up an alarming number of production APIs every year.
Doing it in the browser
Every modern browser has built-in Base64 support (btoa / atob), and JavaScript's TextEncoder handles the UTF-8 edge cases correctly. That means a Base64 encoder or decoder is one of those tools that should absolutely run client-side — there is literally no reason to send a file to a server just to relabel its bytes. Bluebird's Base64 encoder and decoder do exactly that, in the tab, without touching a network. If you find yourself pasting a token into a website that requires an account to decode it, close the tab. You are giving them your secret for no reason.
The one-sentence summary
Base64 is a wrapper that lets binary bytes travel through text channels; it is not compression, it is not encryption, and it costs you 33% in size for the privilege. Use it for small binary payloads that need to live inside text; use anything else for anything else.



