I remember the first time I encountered Base64. I was looking at an HTML email template, and the company logo was embedded as a massive string of letters and numbers starting with data:image/png;base64,. My first reaction was: why not just link to the image file?
Turns out, there's a good reason. And once you understand it, you'll start noticing Base64 everywhere — in JWTs, API payloads, email attachments, even CSS.
What Base64 Actually Does
Base64 is not encryption. It's not compression. It's a way to represent binary data (like images, files, or any random bytes) using only 64 "safe" ASCII characters: A-Z, a-z, 0-9, +, and /.
The reason this matters is that many protocols and systems were designed to handle only text. Email (SMTP) is the classic example — it was built in the 1970s for 7-bit ASCII text. If you tried to send a JPEG through raw SMTP, the binary bytes would get mangled by mail servers that only understand printable characters.
Base64 solves this by converting binary data into text that any system can safely transport. The trade-off? The encoded data is about 33% larger than the original.
When to Use It
Embedding small images in HTML/CSS: For icons under ~2KB, inlining as Base64 saves an HTTP request. For larger images, a separate file with proper caching is better.
Sending binary data in JSON: JSON doesn't support binary. If you need to include a file in an API request, Base64 encoding it is the standard approach.
Data URIs: You'll see data: URLs in HTML and CSS that use Base64 to embed content directly.
Basic Authentication: The Authorization: Basic header uses Base64 to encode username:password. And no, this is not secure by itself — it's just encoding, not encryption. Always use it over HTTPS.
When NOT to Use It
Large files: The 33% size increase adds up fast. A 10MB video becomes ~13.3MB when Base64-encoded. Use proper file upload mechanisms instead.
"Hiding" data: Base64 is trivially reversible. Anyone can decode it. If you need to protect data, use actual encryption (AES, RSA, etc.).
Storing in databases: If you're storing file content in a database, use a BLOB column for binary data. Base64 in a TEXT column wastes 33% more storage.
Quick Cheat Sheet
| Scenario | Use Base64? |
|---|---|
| Small image in email template | Yes |
| File upload to cloud storage | No, use multipart |
| API payload containing a PDF | Yes, or use multipart |
| Encrypting passwords | No, that's not what Base64 does |
| JWT token payload | It's used internally, you don't choose |
The Bottom Line
Base64 is a tool for encoding, not security. Use it when you need to shove binary data through a text-only channel. Don't use it as a substitute for encryption, and be mindful of the size overhead for large files.