Base64 in APIs, email, and data URLs: a practical guide

Base64 makes binary data safe for text channels. Anyone can decode it. Do not treat encoded API keys or PII as protected. Use TLS in transit and proper encryption at rest when confidentiality matters.

JWT segments and many query parameters use Base64url, which avoids + and / characters that break URLs. Converting between variants without noticing is a common OAuth debugging rabbit hole.

MIME encodes attachments so SMTP can carry binary data. Line wrapping at 76 characters is historical; parsers usually tolerate stripping breaks before decode.

Small icons embedded as data:image/png;base64,... reduce HTTP requests but inflate HTML size and bypass browser caching. Prefer normal URLs for large assets.

After encode/decode in a pipeline, compare byte length and a cryptographic hash of the original file. Silent truncation or charset mistakes show up immediately.