🔒

AES-256-GCM Decrypt

Decrypt AES-256-GCM encrypted ciphertext back to plaintext.

POST 1 credit /v1/auth/decrypt

curl -X POST "https://auth.toolkitapi.io/v1/auth/decrypt" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "ciphertext": "k7G3xZ9pQ2w=",
    "iv": "dGhpcyBpcyBhIHRl",
    "tag": "YXV0aGVudGljYXRpb24=",
    "password": "my-secret-password",
    "salt": "c29tZXNhbHQ=",
    "algorithm": "AES-256-GCM"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/decrypt",
    json={
    "ciphertext": "k7G3xZ9pQ2w=",
    "iv": "dGhpcyBpcyBhIHRl",
    "tag": "YXV0aGVudGljYXRpb24=",
    "password": "my-secret-password",
    "salt": "c29tZXNhbHQ=",
    "algorithm": "AES-256-GCM"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/decrypt", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "ciphertext": "k7G3xZ9pQ2w=",
    "iv": "dGhpcyBpcyBhIHRl",
    "tag": "YXV0aGVudGljYXRpb24=",
    "password": "my-secret-password",
    "salt": "c29tZXNhbHQ=",
    "algorithm": "AES-256-GCM"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "plaintext": "Hello, World!",
  "algorithm": "AES-256-GCM"
}

Try It Live

Description

Decrypt AES-256-GCM encrypted ciphertext back to plaintext.

How to Use

1

1. Gather the `ciphertext`, `iv`, and `tag` values from a previous encrypt response.

2

2. Provide the same key or password used during encryption. If using a password, include the `salt` from the encrypt response.

3

3. Send a POST request and receive the original `plaintext` in the response.

4

4. If decryption fails, verify that all values (ciphertext, iv, tag, key/password, salt) match exactly what was used during encryption.

About This Tool

The AES-256-GCM Decrypt endpoint reverses authenticated encryption performed by the encrypt endpoint. It takes the Base64-encoded ciphertext, initialization vector (IV), and authentication tag, and returns the original plaintext string.

AES-GCM's authentication tag ensures integrity — if any of the ciphertext, IV, or tag have been tampered with, decryption will fail with an error rather than returning corrupted data. This provides strong protection against both eavesdropping and modification attacks.

As with encryption, you can supply either a raw hex key or a password with its corresponding salt. The salt must match the one returned by the encrypt endpoint to derive the same key.

Why Use This Tool

Retrieving encrypted secrets — Decrypt API keys or tokens stored in encrypted form
Processing encrypted payloads — Decrypt data received from other services
Accessing encrypted configuration — Restore plaintext config values at runtime
Data migration — Decrypt data encrypted with a previous key before re-encrypting
Audit and compliance — Decrypt records for authorized review or export

Frequently Asked Questions

What happens if the ciphertext was tampered with?

AES-GCM's authentication tag detects any modification to the ciphertext. If the data has been altered, the API returns a 400 error with a decryption failure message rather than returning corrupted plaintext.

Why is salt required when using a password?

The salt was randomly generated during encryption to ensure that the same password produces a different key each time. Without the exact same salt, PBKDF2 will derive a different key and decryption will fail.

Can I decrypt data encrypted by other AES-256-GCM implementations?

Yes, as long as you provide the correct key, IV, and tag in Base64 encoding. AES-256-GCM is a standard algorithm, so data encrypted by OpenSSL, Web Crypto, or other libraries is compatible.

What if I lose the IV or tag?

Decryption is impossible without the correct IV and authentication tag. Always store these values alongside the ciphertext.

Start using AES-256-GCM Decrypt now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs