Base64 Encoding and Decoding: Developer Guide

The encoder takes the input as a byte stream, groups every 3 bytes (24 bits) into 4 sextets (6 bits each), and maps each sextet to a printable character. The standard alphabet is `A-Z` (0-25), `a-z` (26-51), `0-9` (52-61), `+` (62), `/` (63), with `=` as the padding character used when the input length is not a multiple of 3 — see RFC 4648 §4 for the canonical alphabet table.

The 33% expansion is exact, not approximate: every 3 bytes become 4 characters, so encoded length = `4 × ceil(n / 3)` where n is the input byte count. Padding uses 0, 1, or 2 `=` characters depending on whether `n mod 3` is 0, 2, or 1 respectively. This is why Base64 strings always end on a 4-character boundary.

Data URIs embed bytes directly in HTML or CSS: `src="data:image/png;base64,..."` eliminates an HTTP round trip at the cost of a larger document. The break-even depends on the connection: for HTTP/2 multiplexed connections, separate requests are usually faster above 1-2 KB; for high-latency mobile connections, the threshold can be 5-10 KB. Above those sizes, the loss of independent caching dominates the round-trip savings.

JSON API payloads embed binary fields as Base64 strings because JSON cannot represent raw binary safely. JWT tokens specifically use Base64url (RFC 4648 §5) for header and payload sections — see RFC 7519. MIME email attachments use Base64 per RFC 2045, with the additional requirement of line-breaking every 76 characters. SMTP's 7-bit constraint is the historical reason every email attachment you have ever sent was Base64-encoded.

Standard Base64 uses `+` and `/`. Both are reserved in URL paths and query strings, so a token transmitted as `?t=abc+/de==` is interpreted by the receiving server as `?t=abc /de==` (the `+` becomes a literal space in `application/x-www-form-urlencoded` parsing). Base64url, defined in RFC 4648 §5, substitutes `-` for `+` and `_` for `/`, and conventionally omits padding because the length can be inferred.

Use Base64 Encoder to encode and decode both variants. The bug to watch for: decoding a Base64url string with a standard decoder appears to succeed because `-` and `_` are valid characters in the standard alphabet (they are not — but many decoders are lenient and produce silent corruption). Always match the variant on both ends.

`btoa()` and `atob()` are documented at MDN's Window.btoa reference and they operate on byte strings, not Unicode strings. Calling `btoa("héllo")` throws an `InvalidCharacterError` because `é` is a Unicode code point above 0xFF and `btoa` does not know how to serialize it to bytes. The correct pattern is `btoa(new TextEncoder().encode(s).reduce((a, b) => a + String.fromCharCode(b), ""))` for Unicode-safe encoding, or use the modern `Uint8Array`-based path via `Buffer.from(s).toString("base64")` in Node.

`atob` and `btoa` do not implement Base64url. Either pre-substitute `-`/`+` and `_`/`/` and re-add padding before calling them, or use a dedicated library. The Web Crypto API's JWT functions handle the variant transparently; raw `atob`/`btoa` do not.

Base64 is encoding, not encryption — the inverse of `btoa` is one function call away. Using Base64 to "obfuscate" sensitive values provides zero security. For real confidentiality use AES or another cipher; for tamper-resistance, sign with HMAC or use a JWT with a verified signature.

Avoid Base64 for large files in data URIs. The 33% overhead matters less than the loss of independent caching: a 100 KB image inlined as a data URI must be downloaded again every time the parent document changes. Above ~5 KB, separate files almost always win on real-world page-load metrics.

Avoid using Base64 as a database column type for binary blobs. Native `BYTEA` (Postgres) or `BLOB` (MySQL/SQLite) is faster, smaller, and avoids the encode/decode CPU cost on every read.