What is Base64 encoding?

Base64 is a binary-to-text encoding scheme that represents binary data using 64 printable ASCII characters (A-Z, a-z, 0-9, +, /). It converts every 3 bytes of input into 4 ASCII characters. The output is always 33% larger than the input.

How do I encode a string to Base64 in JavaScript?

In a browser, use btoa("your string") to encode and atob("encoded") to decode. For Unicode strings, use encodeURIComponent first: btoa(encodeURIComponent("hello 🌍")). In Node.js, use Buffer.from("your string").toString("base64").

What is the difference between Base64 and Base64URL?

Base64URL replaces + with - and / with _ to make the output safe for URLs and filenames. It also typically omits the = padding. Base64URL is used in JWT tokens, URL parameters, and email-safe contexts.

Is Base64 the same as encryption?

No. Base64 is encoding, not encryption. Anyone can decode Base64 without a key. It provides zero security. Never use Base64 to protect sensitive data — use proper encryption like AES-256 instead.

Why does btoa() fail on Unicode strings?

btoa() only handles ASCII characters (code points 0-255). Characters outside this range throw "InvalidCharacterError". Fix by using encodeURIComponent(str) before btoa(), or use TextEncoder to convert to bytes first.

How do I encode a file to Base64 in Python?

Use the built-in base64 module: import base64; with open("file.pdf", "rb") as f: encoded = base64.b64encode(f.read()).decode("utf-8"). This reads the file as bytes and encodes it.

Should I embed images as Base64 in HTML?

Only for small images (icons, tiny logos under 5KB). Base64 increases file size by 33%, prevents browser caching of the image separately, and bloats your HTML. For larger images, use regular src URLs instead.

What chunk size should I use for streaming Base64 encoding?

Always use chunk sizes that are multiples of 3 bytes (e.g., 3072, 6144, 57 bytes). Each group of 3 bytes becomes exactly 4 Base64 characters. Using non-multiples of 3 will produce incorrect padding in intermediate chunks.

Base64 Encoder/Decoder: Encode and Decode Online

TL;DR

Base64 converts 3 bytes into 4 ASCII characters using a 64-character alphabet (A-Z, a-z, 0-9, +/). Use btoa()/atob() in the browser, Buffer.from() in Node.js, and the built-in base64 module in Python. Base64URL swaps + for - and / for _ for URL safety. Base64 is encoding, NOT encryption — anyone can decode it.

What Is Base64?

Base64 is a binary-to-text encoding scheme defined in RFC 4648. It represents arbitrary binary data using only 64 printable ASCII characters, making it safe to transmit through text-based protocols like HTTP, SMTP, and JSON. The name comes directly from the 64-character alphabet it uses.

The algorithm takes 3 bytes (24 bits) of input at a time and splits them into 4 groups of 6 bits. Each 6-bit group (values 0–63) maps to one character in the Base64 alphabet. Since 6 bits can represent 64 distinct values, this perfectly covers the full alphabet.

How 3 Bytes Become 4 Characters

Example: encoding the string "Man":

M = 77 = 01001101
a = 97 = 01100001
n = 110 = 01101110

Concatenated: 010011010110000101101110 → split into 6-bit groups: 010011 (19=T), 010110 (22=W), 000101 (5=F), 101110 (46=u) → result: TWFu

The Base64 Alphabet

The standard alphabet: A–Z (0–25), a–z (26–51), 0–9 (52–61), + (62), / (63). The = character is used as padding when the input is not a multiple of 3 bytes.

1 remaining byte → 2 Base64 chars + ==
2 remaining bytes → 3 Base64 chars + =
3 bytes exactly → 4 Base64 chars, no padding

Base64 vs Base64URL vs Base32 vs Hex

Format	Alphabet	URL Safe	Padding	Size Increase	Primary Use Case
Base64	A-Z, a-z, 0-9, +/	No	`=`	~33%	Email attachments, data URIs, API payloads
Base64URL	A-Z, a-z, 0-9, -_	Yes	Optional	~33%	JWT tokens, URL params, filenames
Base32	A-Z, 2-7	Yes	`=`	~60%	TOTP secrets, case-insensitive systems
Hex	0-9, a-f	Yes	None	~100%	Hashes, colors, binary inspection

JavaScript — Browser (btoa / atob)

Modern browsers provide two global functions for Base64 encoding and decoding:

btoa(string) — encodes a binary string to Base64 ("binary to ASCII")
atob(base64) — decodes a Base64 string back to binary ("ASCII to binary")

Basic ASCII Encoding

// Encode
const encoded = btoa('Hello, World!');
console.log(encoded); // "SGVsbG8sIFdvcmxkIQ=="

// Decode
const decoded = atob('SGVsbG8sIFdvcmxkIQ==');
console.log(decoded); // "Hello, World!"

// Encode binary string (e.g., from fetch response)
const response = await fetch('/api/data');
const arrayBuffer = await response.arrayBuffer();
const bytes = new Uint8Array(arrayBuffer);
const binaryString = bytes.reduce((acc, byte) => acc + String.fromCharCode(byte), '');
const b64 = btoa(binaryString);

Why btoa() Fails on Unicode

btoa() was designed for binary strings where each character has a code point between 0 and 255. Passing characters outside this range (emoji, Chinese characters, etc.) throws a InvalidCharacterError:

// This throws: "InvalidCharacterError: Failed to execute 'btoa'"
btoa('Hello 🌍'); // ERROR!
btoa('中文');     // ERROR!

Fix: Encoding Unicode with encodeURIComponent

// Encode Unicode to Base64
function encodeUnicode(str) {
  return btoa(encodeURIComponent(str).replace(/%([0-9A-F]{2})/g, (_, p1) =>
    String.fromCharCode('0x' + p1)
  ));
}

// Decode Base64 to Unicode
function decodeUnicode(b64) {
  return decodeURIComponent(
    atob(b64).split('').map(c =>
      '%' + ('00' + c.charCodeAt(0).toString(16)).slice(-2)
    ).join('')
  );
}

const encoded = encodeUnicode('Hello 🌍');
console.log(encoded);               // "SGVsbG8g8J+MjQ=="
console.log(decodeUnicode(encoded)); // "Hello 🌍"

Modern Approach: TextEncoder for Binary Data

// Encode any string using TextEncoder (handles all Unicode)
function toBase64(str) {
  const bytes = new TextEncoder().encode(str);
  const binString = String.fromCodePoint(...bytes);
  return btoa(binString);
}

// Decode Base64 back to string using TextDecoder
function fromBase64(b64) {
  const binString = atob(b64);
  const bytes = Uint8Array.from(binString, m => m.codePointAt(0));
  return new TextDecoder().decode(bytes);
}

console.log(toBase64('Hello 🌍'));  // Properly encoded
console.log(fromBase64(toBase64('Hello 🌍'))); // "Hello 🌍"

JavaScript — Node.js (Buffer)

Node.js uses the Buffer class for Base64 operations. This works for both text and binary data without any Unicode workarounds.

String Encoding and Decoding

// Encode string to Base64
const encoded = Buffer.from('Hello, World!').toString('base64');
console.log(encoded); // "SGVsbG8sIFdvcmxkIQ=="

// Decode Base64 to string
const decoded = Buffer.from('SGVsbG8sIFdvcmxkIQ==', 'base64').toString('utf8');
console.log(decoded); // "Hello, World!"

// Unicode strings work natively
const unicodeEncoded = Buffer.from('Hello 🌍').toString('base64');
const unicodeDecoded = Buffer.from(unicodeEncoded, 'base64').toString('utf8');
console.log(unicodeDecoded); // "Hello 🌍"

URL-Safe Base64 (base64url)

// Node.js 16+ natively supports 'base64url'
const urlSafe = Buffer.from('Hello+World/Test==').toString('base64url');
console.log(urlSafe); // No +, /, or = characters

// Decode base64url
const original = Buffer.from(urlSafe, 'base64url').toString('utf8');

// Manual conversion for older Node.js versions
function toBase64url(b64) {
  return b64.replace(/+/g, '-').replace(///g, '_').replace(/=/g, '');
}

function fromBase64url(b64url) {
  const pad = b64url.length % 4;
  const padded = b64url + (pad ? '='.repeat(4 - pad) : '');
  return padded.replace(/-/g, '+').replace(/_/g, '/');
}

File Encoding with fs + Buffer

const fs = require('fs');

// Encode file to Base64
const fileBuffer = fs.readFileSync('./image.png');
const base64String = fileBuffer.toString('base64');
console.log(`data:image/png;base64,${base64String}`);

// Decode Base64 back to file
const base64Data = 'iVBORw0KGgo...'; // your base64 string
const buffer = Buffer.from(base64Data, 'base64');
fs.writeFileSync('./decoded-image.png', buffer);
console.log('File saved successfully');

Base64URL — URL-Safe Encoding

Standard Base64 uses + and / which have special meanings in URLs and filenames. Base64URL (defined in RFC 4648 Section 5) solves this:

+ is replaced with - (hyphen)
/ is replaced with _ (underscore)
Padding = is usually omitted

When to Use Base64URL

Use Case	Why Base64URL
JWT tokens	Token appears in Authorization headers and URLs without escaping
URL query parameters	`+` would be interpreted as a space in some parsers
Filenames	`/` would create directory separators on Unix
Email-safe tokens	Avoids characters that email clients might treat specially

Conversion Code

// Standard Base64 → Base64URL
function base64ToBase64url(b64) {
  return b64.replace(/+/g, '-').replace(///g, '_').replace(/=+$/, '');
}

// Base64URL → Standard Base64
function base64urlToBase64(b64url) {
  const padLen = (4 - (b64url.length % 4)) % 4;
  return b64url.replace(/-/g, '+').replace(/_/g, '/') + '='.repeat(padLen);
}

// Examples
const standard = 'SGVsbG8+V29ybGQv';
const urlSafe = base64ToBase64url(standard); // "SGVsbG8-V29ybGQv"
const back = base64urlToBase64(urlSafe);     // "SGVsbG8+V29ybGQv"

Python — base64 Module

Python includes a built-in base64 module that handles standard Base64, URL-safe Base64, Base32, and more. All functions work with bytes objects.

Standard Encoding and Decoding

import base64

# Encode bytes to Base64
data = b"Hello, World!"
encoded = base64.b64encode(data)
print(encoded)         # b'SGVsbG8sIFdvcmxkIQ=='
print(encoded.decode('utf-8'))  # String: "SGVsbG8sIFdvcmxkIQ=="

# Decode Base64 to bytes
decoded = base64.b64decode(b'SGVsbG8sIFdvcmxkIQ==')
print(decoded)          # b'Hello, World!'
print(decoded.decode('utf-8'))  # String: "Hello, World!"

# Encode a string (convert to bytes first)
text = "Hello 🌍"
encoded = base64.b64encode(text.encode('utf-8'))
decoded_text = base64.b64decode(encoded).decode('utf-8')
print(decoded_text)     # "Hello 🌍"

URL-Safe Base64

import base64

# URL-safe encoding (replaces + with - and / with _)
data = b"Hello+World/Test"
url_safe = base64.urlsafe_b64encode(data)
print(url_safe)  # b'SGVsbG8rV29ybGQvVGVzdA=='

# URL-safe decoding
decoded = base64.urlsafe_b64decode(url_safe)
print(decoded)   # b'Hello+World/Test'

# Remove padding for JWT-style encoding
no_pad = url_safe.rstrip(b'=').decode('utf-8')
print(no_pad)    # "SGVsbG8rV29ybGQvVGVzdA"

# Add padding back before decoding
def decode_base64url(b64url):
    padded = b64url + '=' * (4 - len(b64url) % 4)
    return base64.urlsafe_b64decode(padded)

Encoding Files in Python

import base64

# Encode a file to Base64
with open('document.pdf', 'rb') as f:
    file_data = f.read()
    encoded = base64.b64encode(file_data).decode('utf-8')
    print(f"Encoded length: {len(encoded)} chars")

# Decode and save Base64 back to file
with open('output.pdf', 'wb') as f:
    f.write(base64.b64decode(encoded))

# Encode image for data URI
with open('logo.png', 'rb') as img:
    img_data = base64.b64encode(img.read()).decode('utf-8')
    data_uri = f"data:image/png;base64,{img_data}"
    print(data_uri[:100] + '...')

Image to Base64 — Browser File API

Embedding images as Base64 data URIs allows them to be used inline in HTML, CSS, and JavaScript without separate HTTP requests. This is useful for small icons, email templates, and offline-capable apps.

Using FileReader to Convert an Uploaded Image

// HTML: <input type="file" id="imageInput" accept="image/*">
// HTML: <img id="preview" src="" alt="Preview">

document.getElementById('imageInput').addEventListener('change', function(e) {
  const file = e.target.files[0];
  if (!file) return;

  const reader = new FileReader();

  reader.onload = function(event) {
    // event.target.result is "data:image/png;base64,iVBORw0..."
    const dataURL = event.target.result;

    // Display the image
    document.getElementById('preview').src = dataURL;

    // Extract just the Base64 string (without the data URI prefix)
    const base64String = dataURL.split(',')[1];
    console.log('Base64 length:', base64String.length);
    console.log('MIME type:', file.type);

    // Send to server
    fetch('/api/upload', {
      method: 'POST',
      headers: { 'Content-Type': 'application/json' },
      body: JSON.stringify({ image: base64String, mimeType: file.type }),
    });
  };

  reader.readAsDataURL(file); // This triggers encoding
});

Using Canvas for Image Transformation

// Convert image URL to Base64 using Canvas
function imageUrlToBase64(url) {
  return new Promise((resolve, reject) => {
    const canvas = document.createElement('canvas');
    const ctx = canvas.getContext('2d');
    const img = new Image();
    img.crossOrigin = 'anonymous'; // Required for cross-origin images

    img.onload = () => {
      canvas.width = img.width;
      canvas.height = img.height;
      ctx.drawImage(img, 0, 0);
      resolve(canvas.toDataURL('image/png')); // data:image/png;base64,...
    };
    img.onerror = reject;
    img.src = url;
  });
}

// Usage
const dataUrl = await imageUrlToBase64('https://example.com/logo.png');
document.querySelector('img').src = dataUrl;

Using Inline Base64 Images in HTML and CSS

<!-- Inline in HTML img tag -->
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAEA..." alt="1px dot">

<!-- Inline in CSS background -->
<style>
.icon {
  background-image: url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL...");
  width: 24px;
  height: 24px;
}
</style>

<!-- SVG can also be used directly without base64 -->
<img src="data:image/svg+xml;charset=utf-8,<svg xmlns='http://www.w3.org/2000/svg'><circle cx='5' cy='5' r='5'/></svg>" alt="circle">

When to Use vs When NOT to Use Image Base64

Scenario	Use Base64?	Reason
Small icons (<5KB)	Yes	Reduces HTTP requests, negligible size penalty
Email template images	Yes	External images often blocked by email clients
Offline PWA assets	Yes	Avoids network dependency for critical assets
Large photos (>10KB)	No	33% larger, no browser caching, slow initial load
Page hero images	No	Blocks HTML parsing, cannot be cached separately
CDN-served images	No	CDN caching provides better performance

Go — encoding/base64

Go's standard library includes the encoding/base64 package with support for standard Base64, URL-safe Base64, and raw (no padding) variants.

package main

import (
    "encoding/base64"
    "fmt"
)

func main() {
    input := []byte("Hello, World!")

    // Standard Base64 (with padding)
    encoded := base64.StdEncoding.EncodeToString(input)
    fmt.Println(encoded) // "SGVsbG8sIFdvcmxkIQ=="

    // Decode
    decoded, err := base64.StdEncoding.DecodeString(encoded)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(decoded)) // "Hello, World!"

    // URL-safe Base64 (with padding)
    urlEncoded := base64.URLEncoding.EncodeToString(input)
    fmt.Println(urlEncoded)

    // URL-safe Base64 WITHOUT padding (for JWT)
    rawURLEncoded := base64.RawURLEncoding.EncodeToString(input)
    fmt.Println(rawURLEncoded) // No = at the end

    // Decode raw URL-safe
    rawDecoded, _ := base64.RawURLEncoding.DecodeString(rawURLEncoded)
    fmt.Println(string(rawDecoded))

    // Standard Base64 WITHOUT padding
    rawStdEncoded := base64.RawStdEncoding.EncodeToString(input)
    fmt.Println(rawStdEncoded)
}

Go Base64 Encoding Variants Summary

Go Constant	Alphabet	Padding	Use Case
`base64.StdEncoding`	A-Z, a-z, 0-9, +/	Yes (=)	Standard MIME / file encoding
`base64.URLEncoding`	A-Z, a-z, 0-9, -_	Yes (=)	URL parameters
`base64.RawURLEncoding`	A-Z, a-z, 0-9, -_	No	JWT tokens, compact URLs
`base64.RawStdEncoding`	A-Z, a-z, 0-9, +/	No	Compact data transfer

Rust — base64 Crate

Rust uses the base64 crate (not in std library). Add it to your Cargo.toml: base64 = "0.22"

use base64::{Engine as _, engine::general_purpose};

fn main() {
    let input = b"Hello, World!";

    // Standard Base64 encode
    let encoded = general_purpose::STANDARD.encode(input);
    println!("{}", encoded); // "SGVsbG8sIFdvcmxkIQ=="

    // Standard Base64 decode
    let decoded = general_purpose::STANDARD.decode(&encoded).unwrap();
    println!("{}", String::from_utf8(decoded).unwrap()); // "Hello, World!"

    // URL-safe Base64 with padding
    let url_encoded = general_purpose::URL_SAFE.encode(input);
    println!("{}", url_encoded);

    // URL-safe WITHOUT padding (for JWT)
    let jwt_encoded = general_purpose::URL_SAFE_NO_PAD.encode(input);
    println!("{}", jwt_encoded); // No = padding

    // Decode URL-safe without padding
    let jwt_decoded = general_purpose::URL_SAFE_NO_PAD.decode(&jwt_encoded).unwrap();
    println!("{}", String::from_utf8(jwt_decoded).unwrap());
}

// Custom engine example
use base64::engine::general_purpose::GeneralPurpose;
use base64::alphabet;

let custom_engine = GeneralPurpose::new(
    &alphabet::URL_SAFE,
    base64::engine::general_purpose::NO_PAD,
);
let encoded = custom_engine.encode(b"test data");

Base64 in HTTP — Authentication, Data URIs, MIME

HTTP Basic Authentication

HTTP Basic Auth encodes credentials as Base64 in the Authorization header. Note: this is not encryption — the credentials are trivially decodable. Always use HTTPS.

// Format: "username:password" → Base64
const username = 'admin';
const password = 'secret123';
const credentials = btoa(`${username}:${password}`);
// credentials = "YWRtaW46c2VjcmV0MTIz"

// HTTP request with Basic Auth
const response = await fetch('https://api.example.com/data', {
  headers: {
    'Authorization': `Basic ${credentials}`,
    'Content-Type': 'application/json',
  },
});

// Server-side decoding (Node.js)
const authHeader = req.headers.authorization; // "Basic YWRtaW46c2VjcmV0MTIz"
const base64Credentials = authHeader.split(' ')[1];
const [user, pass] = Buffer.from(base64Credentials, 'base64').toString('utf8').split(':');
console.log(user, pass); // "admin" "secret123"

CSS Data URIs

/* Inline SVG as Base64 in CSS */
.icon-home {
  background-image: url("data:image/svg+xml;base64,PHN2ZyB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHZpZXdCb3g9IjAgMCAyNCAyNCI+PHBhdGggZD0iTTEwIDIwdi02aDR2Nmg1di04aDNMMTIgM0wyIDEyaDN2OHoiLz48L3N2Zz4=");
  background-size: contain;
  width: 24px;
  height: 24px;
}

/* Inline PNG as Base64 */
.logo {
  background-image: url("data:image/png;base64,iVBORw0KGgoAAAANSUhEUg...");
}

/* Font as Base64 for offline use */
@font-face {
  font-family: 'CustomFont';
  src: url("data:font/woff2;base64,d09GMgABAAA...") format('woff2');
}

MIME Email Attachments

// Email attachment using Node.js (nodemailer)
const nodemailer = require('nodemailer');
const fs = require('fs');

const pdfBuffer = fs.readFileSync('report.pdf');
const pdfBase64 = pdfBuffer.toString('base64');

const mailOptions = {
  from: 'sender@example.com',
  to: 'recipient@example.com',
  subject: 'Monthly Report',
  text: 'Please find the report attached.',
  attachments: [
    {
      filename: 'report.pdf',
      content: pdfBase64,
      encoding: 'base64',
      contentType: 'application/pdf',
    },
  ],
};

// Raw MIME format (Content-Transfer-Encoding: base64)
/*
Content-Type: application/pdf; name="report.pdf"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="report.pdf"

JVBERi0xLjQKJeLjz9MKNSAwIG9iago8PAovRmlsdGVyIC9GbGF0ZURlY29kZQov...
*/

Streaming and Large File Encoding

Loading large files entirely into memory before encoding is inefficient and may crash for very large files. Use streaming approaches instead.

Critical rule: Chunk sizes for streaming Base64 encoding must be multiples of 3 bytes. Each 3-byte group maps to exactly 4 Base64 characters. Using non-multiples produces incorrect padding characters in intermediate chunks.

Node.js Streams

const fs = require('fs');
const { Transform } = require('stream');

// Custom Base64 encoding stream
class Base64Encoder extends Transform {
  constructor() {
    super();
    this._buffer = Buffer.alloc(0);
  }

  _transform(chunk, encoding, callback) {
    // Combine with leftover bytes
    this._buffer = Buffer.concat([this._buffer, chunk]);

    // Process in multiples of 3
    const safeLength = Math.floor(this._buffer.length / 3) * 3;
    if (safeLength > 0) {
      this.push(this._buffer.slice(0, safeLength).toString('base64'));
      this._buffer = this._buffer.slice(safeLength);
    }
    callback();
  }

  _flush(callback) {
    if (this._buffer.length > 0) {
      this.push(this._buffer.toString('base64'));
    }
    callback();
  }
}

// Usage: stream file through encoder
const readStream = fs.createReadStream('large-video.mp4');
const encoder = new Base64Encoder();
const writeStream = fs.createWriteStream('large-video.b64');

readStream.pipe(encoder).pipe(writeStream);
writeStream.on('finish', () => console.log('Streaming encode complete'));

Python Chunked Encoding

import base64

def encode_file_streaming(input_path, output_path, chunk_size=57):
    """
    Encode a large file using chunked streaming.
    chunk_size must be a multiple of 3 (57 = 3 * 19 → produces 76 char lines, MIME standard).
    """
    with open(input_path, 'rb') as infile, open(output_path, 'w') as outfile:
        while True:
            chunk = infile.read(chunk_size)
            if not chunk:
                break
            # Each 57-byte chunk produces 76 Base64 characters
            encoded_chunk = base64.b64encode(chunk).decode('utf-8')
            outfile.write(encoded_chunk + '\n')  # MIME adds newlines

# base64.encodebytes() automatically adds newlines every 76 chars
with open('large-file.bin', 'rb') as f:
    encoded = base64.encodebytes(f.read())
    print(encoded[:100])  # b'SGVsbG8...'

# Streaming decode
def decode_file_streaming(input_path, output_path):
    with open(input_path, 'r') as infile, open(output_path, 'wb') as outfile:
        for line in infile:
            chunk = base64.b64decode(line.strip())
            outfile.write(chunk)

Performance Comparison

Format	Output Size Increase	Encoding Speed	URL Safe	Best Use Case
Hex	+100% (2x size)	Very Fast	Yes	Hash values, debugging binary data
Base64	+33%	Fast	No	Email attachments, data URIs, API payloads
Base64URL	+33%	Fast	Yes	JWT tokens, URL params, filenames
Base32	+60%	Moderate	Yes	TOTP secrets, human-readable codes

Base64 vs raw binary: If your protocol supports binary data (e.g., WebSockets, HTTP/2, gRPC), always prefer raw binary over Base64 encoded text. You avoid the 33% overhead and the CPU cost of encoding/decoding.

Browser performance: Native btoa()/atob() are implemented in C++ and are very fast. For data under 1MB, they are typically instantaneous. For larger data, consider a Web Worker to avoid blocking the main thread.

Common Mistakes and How to Fix Them

1. Using btoa() on Unicode Strings

// WRONG — throws InvalidCharacterError
const encoded = btoa("Hello 🌍");  // Error!

// CORRECT — encode URI components first
const encoded = btoa(encodeURIComponent("Hello 🌍")
  .replace(/%([0-9A-F]{2})/g, (_, p1) => String.fromCharCode('0x' + p1)));

// OR use TextEncoder (modern approach)
const bytes = new TextEncoder().encode("Hello 🌍");
const encoded = btoa(String.fromCodePoint(...bytes));

2. Forgetting Padding When Decoding

// Some APIs return Base64 without padding
const b64NoPad = "SGVsbG8"; // Missing ==

// WRONG
atob(b64NoPad);  // May throw or return incorrect data

// CORRECT — add padding before decoding
function safeDecode(b64) {
  const padded = b64 + '='.repeat((4 - b64.length % 4) % 4);
  return atob(padded);
}
console.log(safeDecode("SGVsbG8")); // "Hello"

3. Treating Base64 as Encryption

// WRONG — Base64 is NOT encryption
const "secret" = btoa("password123");  // Anyone can decode this!
// btoa("password123") = "cGFzc3dvcmQxMjM=" — trivially reversible

// CORRECT — use actual encryption
const key = await crypto.subtle.generateKey(
  { name: 'AES-GCM', length: 256 },
  true,
  ['encrypt', 'decrypt']
);
const encrypted = await crypto.subtle.encrypt(
  { name: 'AES-GCM', iv: crypto.getRandomValues(new Uint8Array(12)) },
  key,
  new TextEncoder().encode("password123")
);
// Now encode the encrypted bytes as Base64 for storage/transport
const encryptedB64 = btoa(String.fromCharCode(...new Uint8Array(encrypted)));

4. Confusing Base64URL with Standard Base64

// JWT tokens use Base64URL (- and _ instead of + and /)
const jwtPayload = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9";

// WRONG — trying to decode JWT part with standard atob()
atob(jwtPayload);  // May fail if it contains - or _

// CORRECT — convert Base64URL to standard Base64 first
function decodeBase64url(b64url) {
  const padded = b64url.replace(/-/g, '+').replace(/_/g, '/')
    + '='.repeat((4 - b64url.length % 4) % 4);
  return JSON.parse(atob(padded));
}

const payload = decodeBase64url(jwtPayload);
console.log(payload); // { alg: 'HS256', typ: 'JWT' }

5. MIME Base64 Line Breaks

// MIME/email Base64 adds \r\n every 76 characters
// Some implementations choke on these line breaks

// Python's base64.encodebytes() adds newlines automatically
import base64
encoded_with_newlines = base64.encodebytes(b"Hello World " * 100)
# b'SGVsbG8gV29ybGQgSGVsbG8gV29ybGQg...'
# Note: each 76-char line ends with \n

# To get clean Base64 without newlines, use b64encode
clean = base64.b64encode(b"Hello World " * 100)

# Node.js does NOT add line breaks — this is safe
Buffer.from(data).toString('base64')  // No line breaks

// If you receive MIME Base64, strip whitespace before decoding
const cleanB64 = mimeB64.replace(/[\r\n\s]/g, '');
const decoded = atob(cleanB64);

6. Using Non-Multiple-of-3 Chunk Sizes for Streaming

// WRONG — chunk size 1000 is not a multiple of 3
// This produces incorrect = padding after each chunk
const chunks = [];
for (let i = 0; i < data.length; i += 1000) {
  chunks.push(btoa(String.fromCharCode(...data.slice(i, i + 1000))));
}
// Concatenating these produces WRONG output!

// CORRECT — use multiples of 3: 3, 6, 57, 3072, etc.
const CHUNK_SIZE = 3072; // 3 * 1024
const chunks = [];
for (let i = 0; i < data.length; i += CHUNK_SIZE) {
  chunks.push(btoa(String.fromCharCode(...data.slice(i, i + CHUNK_SIZE))));
}
// Only the LAST chunk may have = padding — this is correct!

Key Takeaways

Base64 converts 3 bytes → 4 characters using a 64-char alphabet; output is always ~33% larger than input.
Browser: use btoa()/atob() for ASCII, TextEncoder+TextDecoder for Unicode strings.
Node.js: Buffer.from(str).toString('base64') and Buffer.from(b64, 'base64').toString('utf8') handle all cases.
Python: base64.b64encode() and base64.b64decode() work with bytes objects; encode strings with .encode('utf-8') first.
Go: use base64.StdEncoding, base64.URLEncoding, or base64.RawURLEncoding from encoding/base64.
Rust: use the base64 crate with general_purpose::STANDARD or URL_SAFE_NO_PAD engines.
Base64URL replaces +→- and /→_ for JWT tokens and URL parameters.
For streaming/large files, always use chunk sizes that are multiples of 3 bytes.
Base64 is encoding, NOT encryption — never use it to protect sensitive data.
Inline Base64 images are only worthwhile for assets under ~5KB; larger images lose browser caching benefits.