2026-06-13 · 5 min read · Rahul Chitturi
- base64
- api
Base64 looks simple until production traffic includes emoji, plus signs in query strings, and libraries that disagree on padding. These mistakes show up in auth headers, webhook payloads, and file upload metadata.
Common failures
- Encoding UTF-8 text without specifying charset on decode
- Using standard Base64 in URLs (+ and / need encoding)
- Double-encoding the same string twice
- Assuming Base64 means encrypted or hashed
URL-safe Base64
JWTs and many OAuth flows use Base64url: - and _ replace + and /. Padding may be stripped. Decode with the variant your spec requires.