
The `encoding/base64` package encodes binary data as printable ASCII text. Two encodings are available: `StdEncoding` (uses `+` and `/`) and `URLEncoding` (uses `-` and `_`, safe in URLs).

<ExamplePair>
<ExampleProse>

`base64.StdEncoding.EncodeToString` encodes a byte slice to a base64 string. `DecodeString` reverses it, returning a byte slice and an error if the input is malformed.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "encoding/base64"
    "fmt"
)

func main() {
    data := []byte("user:secret-password")

    encoded := base64.StdEncoding.EncodeToString(data)
    fmt.Println(encoded) // dXNlcjpzZWNyZXQtcGFzc3dvcmQ=

    decoded, err := base64.StdEncoding.DecodeString(encoded)
    if err != nil {
        panic(err)
    }
    fmt.Println(string(decoded)) // user:secret-password
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`base64.URLEncoding` replaces `+` with `-` and `/` with `_`, making the output safe to embed in URLs and filenames. `base64.RawURLEncoding` omits the `=` padding - used in JWT segments and URL-safe tokens.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/rand"
    "encoding/base64"
    "fmt"
)

func main() {
    // Standard encoding - may produce + and / in output
    std := base64.StdEncoding.EncodeToString([]byte{0xfb, 0xef, 0xff})
    fmt.Println("std:", std) // ++//

    // URL-safe encoding - replaces + with - and / with _
    url := base64.URLEncoding.EncodeToString([]byte{0xfb, 0xef, 0xff})
    fmt.Println("url:", url) // --__

    // Generate a URL-safe random token (no padding)
    buf := make([]byte, 24)
    rand.Read(buf)
    token := base64.RawURLEncoding.EncodeToString(buf)
    fmt.Println("token:", token) // 32-char URL-safe token, no = padding
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

For large payloads, wrap an `io.Writer` with `base64.NewEncoder` to stream encoding without buffering the entire output. Call `Close()` to flush any remaining bytes and write the final padding.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "encoding/base64"
    "os"
    "strings"
)

func main() {
    enc := base64.NewEncoder(base64.StdEncoding, os.Stdout)
    defer enc.Close()

    r := strings.NewReader("streaming base64 example output")
    buf := make([]byte, 8)
    for {
        n, err := r.Read(buf)
        if n > 0 {
            enc.Write(buf[:n])
        }
        if err != nil {
            break
        }
    }
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
Use `base64.URLEncoding` (or `base64.RawURLEncoding` without padding) for URL-safe tokens and JWT segments - standard base64 uses `+` and `/` which are special characters in URLs and require percent-encoding. When size matters, note that base64 inflates data by approximately 33% (3 bytes become 4 characters). For generating random tokens (session IDs, CSRF tokens, API keys), fill a byte slice with `crypto/rand.Read`, then `base64.RawURLEncoding.EncodeToString` - 18 random bytes give 24 URL-safe characters with 144 bits of entropy, sufficient for most token use cases. Never roll a custom encoding for tokens; use the stdlib encoders to avoid subtle bugs with alphabet selection and padding.
</InProduction>


encoding/base64 StdEncoding and URLEncoding for encode/decode, RawURLEncoding for padding-free tokens, and streaming encoders.

Base64 Encoding


The `os` and `bufio` packages provide file reading at different granularities. `os.ReadFile` reads a whole file at once; `bufio.Scanner` reads line by line without loading the full file into memory.

<ExamplePair>
<ExampleProse>

`os.ReadFile` reads an entire file into a `[]byte` in one call. It opens, reads, and closes the file for you. Suitable for config files, small assets, and test fixtures - anything with a known bounded size.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "fmt"
    "os"
)

func main() {
    data, err := os.ReadFile("go.mod")
    if err != nil {
        panic(err)
    }
    fmt.Printf("read %d bytes\n", len(data))
    fmt.Println(string(data[:64])) // print first 64 bytes
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

For large files or line-oriented processing, open the file with `os.Open` and wrap it in a `bufio.Scanner`. The scanner reads one line at a time, keeping memory usage constant regardless of file size.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "bufio"
    "fmt"
    "os"
)

func main() {
    f, err := os.Open("go.mod")
    if err != nil {
        panic(err)
    }
    defer f.Close()

    scanner := bufio.NewScanner(f)
    lineNum := 0
    for scanner.Scan() {
        lineNum++
        fmt.Printf("%3d: %s\n", lineNum, scanner.Text())
    }
    if err := scanner.Err(); err != nil {
        panic(err)
    }
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`os.Stdin` implements `io.Reader`, so the same `bufio.Scanner` pattern reads from standard input. This is the basis of Unix-style filter programs that accept piped input.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "bufio"
    "fmt"
    "os"
    "strings"
)

func main() {
    scanner := bufio.NewScanner(os.Stdin)
    for scanner.Scan() {
        line := scanner.Text()
        fmt.Println(strings.ToUpper(line))
    }
    if err := scanner.Err(); err != nil {
        fmt.Fprintln(os.Stderr, "read error:", err)
        os.Exit(1)
    }
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
`os.ReadFile` loads the entire file into memory - fine for configs and test fixtures, unsafe for unbounded user uploads or large log files. For large or streaming reads, open with `os.Open` and wrap with `bufio.Reader` or `bufio.Scanner`. Always call `defer f.Close()` immediately after a successful `os.Open` - not after the error check, not at the end of the function, but on the very next line so it is never accidentally omitted. `bufio.Scanner` has a default line buffer of 64 KB; if you expect lines longer than that (e.g. minified JSON), use `scanner.Buffer(make([]byte, maxSize), maxSize)` before the first `Scan()`. Check `scanner.Err()` after the loop - a scanner that runs out of input and a scanner that encounters a read error both exit the loop, but only one is an error.
</InProduction>


os.ReadFile for small files, os.Open with bufio.Scanner for line-by-line reading, the io.Reader interface, and reading from stdin.

Reading Files


The `crypto/sha256` package computes SHA-256 digests. Use `sha256.Sum256` for small byte slices; use `sha256.New()` with `io.Copy` for large files or streams.

<ExamplePair>
<ExampleProse>

`sha256.Sum256` hashes a byte slice in one call and returns a `[32]byte` array. `hex.EncodeToString` converts the raw bytes to a lowercase hex string - the common representation for checksums and content hashes.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/sha256"
    "encoding/hex"
    "fmt"
)

func main() {
    data := []byte("hello, world")
    digest := sha256.Sum256(data)

    fmt.Printf("bytes: %x\n", digest)
    fmt.Println("hex:  ", hex.EncodeToString(digest[:]))
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

For large inputs, use `sha256.New()` to get a `hash.Hash` and write data incrementally. This avoids loading the entire content into memory and works with any `io.Reader`.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/sha256"
    "encoding/hex"
    "fmt"
    "strings"
)

func main() {
    h := sha256.New()

    // Write data in chunks (simulated here with a Reader)
    r := strings.NewReader("hello, world - this could be a large file")
    buf := make([]byte, 8)
    for {
        n, err := r.Read(buf)
        if n > 0 {
            h.Write(buf[:n])
        }
        if err != nil {
            break
        }
    }

    fmt.Println(hex.EncodeToString(h.Sum(nil)))
}
```

</ExampleCode>
</ExamplePair>

<ExamplePair>
<ExampleProse>

`h.Sum(nil)` appends the current digest to a nil slice, returning a fresh `[]byte`. You can also call `h.Sum(existing[:0])` to write into a pre-allocated buffer without an allocation.

</ExampleProse>
<ExampleCode>

```go
package main

import (
    "crypto/sha256"
    "fmt"
    "io"
    "os"
)

func hashFile(path string) ([]byte, error) {
    f, err := os.Open(path)
    if err != nil {
        return nil, err
    }
    defer f.Close()

    h := sha256.New()
    if _, err := io.Copy(h, f); err != nil {
        return nil, err
    }
    return h.Sum(nil), nil
}

func main() {
    digest, err := hashFile("go.sum")
    if err != nil {
        fmt.Println("open go.sum:", err)
        return
    }
    fmt.Printf("%x\n", digest)
}
```

</ExampleCode>
</ExamplePair>

<InProduction>
`sha256.Sum256` hashes a byte slice in one call - convenient for small inputs, but it loads the entire content into memory. For files, use `sha256.New()` + `io.Copy` so the file is streamed through the hasher. Never use SHA-256 for password storage: it is a general-purpose hash, not a key derivation function. Use `bcrypt`, `argon2id`, or `scrypt` for passwords - they are intentionally slow and include salting. SHA-256 is appropriate for content addressing (deduplication, checksums), HMAC signatures, and certificate fingerprints. When comparing digests in security-sensitive code, use `subtle.ConstantTimeCompare` from `crypto/subtle` to prevent timing attacks; a naive `bytes.Equal` or `==` can leak timing information.
</InProduction>


crypto/sha256 for one-shot and streaming SHA-256 hashing, hex encoding the digest, and when not to use SHA256 for passwords.