Module base64_url 

URL-safe Base64 encoding trait.

Import path: use secure_gate::ToBase64Url;

This trait provides secure, explicit encoding of byte data to URL-safe base64 strings (no padding, RFC 4648). It is intended for intentional export scenarios only (QR codes, API responses, audited logging).

Requires the encoding-base64 feature.

Security Notes

• Full secret exposure: The resulting string contains the entire secret. Always treat output as sensitive; do not log or persist without protection.
• Zeroizing variants: Prefer to_base64url_zeroizing(), which returns [EncodedSecret] (wrapping Zeroizing<String> with redacted Debug). Use plain to_base64url() only for public values.
• Explicit exposure: to_base64url() (and the other encoding methods) perform deliberate full-secret exposure — the same security contract as with_secret or expose_secret. Direct calls do not appear in grep expose_secret / grep with_secret audit sweeps. For audit-first teams or multi-step operations, prefer with_secret(|b| b.to_base64url()) — the borrow checker enforces the reference cannot escape the closure.
• URL-safe: No padding (=), safe for URLs/JSON/filenames.

Example

use secure_gate::{Fixed, ToBase64Url, RevealSecret};
{
let secret = Fixed::new([0x42u8; 4]);

// Blanket impl on the inner byte array (via with_secret):
let b64 = secret.with_secret(|s| s.to_base64url());
assert_eq!(b64, "QkJCQg");

// Wrapper method (Direct Fixed<[u8; N]> API — same result):
assert_eq!(secret.to_base64url(), "QkJCQg");

// Zeroizing variant for sensitive encoded output:
let b64z = secret.to_base64url_zeroizing();
// b64z is EncodedSecret — zeroized on drop, redacted Debug
}

Traits

ToBase64Url

Extension trait for encoding byte data as URL-safe base64 strings (no padding).