← All Articles · · 7 min read

Base64 Encoding: Complete Developer Guide

Everything developers need to know about Base64 encoding and decoding — how it works, when to use it, common pitfalls, and practical code examples in JavaScript, Python, and Go.

base64encodingjavascriptpythonweb-developmentsecurity

Base64 encoding is one of those concepts you encounter constantly as a developer but rarely see explained properly. You see it in JWTs, email attachments, data URIs, and API payloads. You know it makes binary data look like readable text. But do you know why it exists, when to use it, and — critically — when not to?

This guide covers everything you actually need to know about Base64 encoding.

Why Base64 Exists

Base64 exists because of a fundamental compatibility problem: many systems that transmit or store data were designed to handle text, not arbitrary binary data.

Email protocols (SMTP) were designed for ASCII text. HTTP headers must be ASCII. JSON only supports Unicode text strings, not raw binary. URLs have reserved characters that have special meaning.

When you need to transmit binary data (an image, a PDF, a cryptographic key) through a text-only channel, you need to encode it. Base64 is the standard solution: it converts arbitrary binary into a set of 64 printable ASCII characters (A-Z, a-z, 0-9, +, /, and = for padding).

Base64 is not encryption. It provides zero security. Anyone can decode it instantly. Its only purpose is data representation compatibility.

How Base64 Encoding Works

Base64 takes 3 bytes of input (24 bits) and converts them into 4 Base64 characters (6 bits each, from a 64-character alphabet).

Input bytes:    M        a        n
Binary:      01001101 01100001 01101110
Groups of 6: 010011 010110 000101 101110
Base64:         T      W      F      u

If the input length isn’t divisible by 3, = padding characters are added to make the output length a multiple of 4.

This means Base64 encoding increases data size by approximately 33% — 3 bytes become 4 characters.

Base64 in Practice

JavaScript

Modern JavaScript has btoa() and atob() for browser environments, but they only handle Latin-1 strings. For proper Unicode or binary data handling, use Buffer in Node.js:

// Node.js — encode
const original = "Hello, DevPlaybook!";
const encoded = Buffer.from(original, "utf8").toString("base64");
console.log(encoded); // SGVsbG8sIERldlBsYXlib29rIQ==

// Decode
const decoded = Buffer.from(encoded, "base64").toString("utf8");
console.log(decoded); // Hello, DevPlaybook!

// Encoding binary (e.g., an image file)
const fs = require("fs");
const imageBuffer = fs.readFileSync("./photo.jpg");
const imageBase64 = imageBuffer.toString("base64");

// Create a data URI for embedding in HTML/CSS
const dataUri = `data:image/jpeg;base64,${imageBase64}`;

Python

import base64

# Encode a string
original = "Hello, DevPlaybook!"
encoded = base64.b64encode(original.encode("utf-8"))
print(encoded)  # b'SGVsbG8sIERldlBsYXlib29rIQ=='

# Decode
decoded = base64.b64decode(encoded).decode("utf-8")
print(decoded)  # Hello, DevPlaybook!

# URL-safe variant (replaces + with - and / with _)
url_safe = base64.urlsafe_b64encode(original.encode("utf-8"))
print(url_safe)  # b'SGVsbG8sIERldlBsYXlib29rIQ=='

# Encode binary file
with open("photo.jpg", "rb") as f:
    image_base64 = base64.b64encode(f.read()).decode("utf-8")

Go

package main

import (
    "encoding/base64"
    "fmt"
)

func main() {
    original := "Hello, DevPlaybook!"

    // Encode
    encoded := base64.StdEncoding.EncodeToString([]byte(original))
    fmt.Println(encoded) // SGVsbG8sIERldlBsYXlib29rIQ==

    // Decode
    decoded, err := base64.StdEncoding.DecodeString(encoded)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(decoded)) // Hello, DevPlaybook!

    // URL-safe variant
    urlEncoded := base64.URLEncoding.EncodeToString([]byte(original))
    fmt.Println(urlEncoded)
}

Standard vs URL-Safe Base64

Standard Base64 uses + and / in its alphabet. These characters have special meaning in URLs — + means a space, and / is a path separator. This causes problems when embedding Base64 in URLs or using it in HTTP query parameters.

URL-safe Base64 replaces + with - and / with _. It’s used in:

  • JWT tokens (JSON Web Tokens)
  • OAuth flows
  • URL query parameters
  • Kubernetes secrets
  • Google Cloud API payloads

Always check which variant you need before encoding. Decoding standard Base64 with a URL-safe decoder (or vice versa) on data containing +/- or //_ will silently produce incorrect results.

Common Mistakes and Pitfalls

1. Treating Base64 as encryption

Base64 is trivially reversible. Never use it to “protect” sensitive data. Use proper encryption (AES-256-GCM for symmetric, RSA for asymmetric) when security matters.

2. Forgetting the size overhead

Storing Base64-encoded images in a database instead of a blob store or CDN will inflate your storage by 33% and slow down queries. Use object storage (S3, R2, GCS) for binary assets.

3. Double-encoding

If you encode an already-encoded string, you get garbage on decode. Establish a clear contract: encode once at the boundary, decode once at the consumer. Don’t encode in transit layers that don’t need to touch the data.

4. Line breaks in Base64

RFC 2045 (MIME) specifies that Base64 output should be broken into 76-character lines. Many libraries default to this. If you’re passing Base64 in a URL parameter or JSON field, strip the line breaks first:

const clean = base64String.replace(/\s/g, "");

5. Padding issues

Some implementations strip the trailing = padding. Others require it. If you’re integrating with an external API that returns padded Base64 and your decoder doesn’t handle padding correctly, add it manually:

function addPadding(b64) {
  return b64 + "=".repeat((4 - (b64.length % 4)) % 4);
}

When to Use Base64

Good use cases:

  • Embedding small images in HTML/CSS as data URIs
  • Sending binary data in JSON API payloads
  • JWT token encoding
  • Storing cryptographic keys in text configuration files
  • Email attachments (MIME)

Avoid when:

  • Transferring large binary files (use multipart form data or pre-signed URLs instead)
  • Storing in databases (use binary column types or object storage)
  • Thinking it provides any security

Test Base64 With JSON Data

Many Base64 encoding scenarios involve JSON payloads — encoding a JSON object to send as a URL parameter, or embedding Base64 data inside a JSON field. Use the DevPlaybook JSON Diff Viewer to compare JSON structures before and after processing to catch encoding errors quickly.

Wrapping Up

Base64 is a simple, essential tool for bridging the gap between binary data and text-only systems. The key points to remember:

  • It increases size by ~33% — only use where necessary
  • Standard vs URL-safe variants matter — check which one your system expects
  • It provides zero security — use encryption separately
  • Double-encoding and padding issues are the most common bugs

For more developer utilities, config templates, and battle-tested tooling setups, check out the DevToolkit Starter Kit — a collection of configs and scripts that handle the boring setup work so you can focus on building.

👉 Get the DevToolkit Starter Kit on Gumroad

Free Newsletter

Level Up Your Dev Workflow

Get new tools, guides, and productivity tips delivered to your inbox.

Plus: grab the free Developer Productivity Checklist when you subscribe.

Found this guide useful? Check out our free developer tools.

Free Tools All Products