🔒

AES-256-GCM Encrypt

Encrypt plaintext strings using AES-256-GCM authenticated encryption.

POST 1 credit /v1/auth/encrypt

curl -X POST "https://auth.toolkitapi.io/v1/auth/encrypt" \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{
    "plaintext": "Hello, World!",
    "password": "my-secret-password",
    "algorithm": "AES-256-GCM"
  }'

import httpx

resp = httpx.post(
    "https://auth.toolkitapi.io/v1/auth/encrypt",
    json={
    "plaintext": "Hello, World!",
    "password": "my-secret-password",
    "algorithm": "AES-256-GCM"
  },
)
print(resp.json())

const resp = await fetch("https://auth.toolkitapi.io/v1/auth/encrypt", {
  method: "POST",
  headers: {
    "Content-Type": "application/json",
  },
  body: JSON.stringify({
    "plaintext": "Hello, World!",
    "password": "my-secret-password",
    "algorithm": "AES-256-GCM"
  }),
});
const data = await resp.json();
console.log(data);

# See curl example

Response 200 OK

{
  "ciphertext": "k7G3xZ9pQ2w=",
  "iv": "dGhpcyBpcyBhIHRl",
  "tag": "YXV0aGVudGljYXRpb24=",
  "algorithm": "AES-256-GCM",
  "key_derived": true,
  "salt": "c29tZXNhbHQ="
}

Try It Live

Description

Encrypt plaintext strings using AES-256-GCM authenticated encryption.

How to Use

1

1. Choose your key method: provide a 64-character hex-encoded key in the `key` field, or supply a `password` for automatic PBKDF2 key derivation.

2

2. Set the `plaintext` field to the string you want to encrypt.

3

3. Send a POST request. The response includes the Base64-encoded `ciphertext`, `iv`, and `tag` — store all three, as they are all required for decryption.

4

4. If you used a password, also store the returned `salt` value — you will need it when calling the decrypt endpoint.

About This Tool

The AES-256-GCM Encrypt endpoint performs authenticated encryption on plaintext strings using the AES-256-GCM (Galois/Counter Mode) algorithm. AES-256-GCM provides both confidentiality and integrity, meaning the ciphertext is protected against tampering via an authentication tag.

You can supply either a raw 256-bit hex-encoded key or a password. When using a password, the key is derived using PBKDF2 with a randomly generated salt, which is returned in the response for use during decryption.

This endpoint is ideal for encrypting sensitive data before storage, transmitting secrets between services, or implementing application-layer encryption in your workflows.

Why Use This Tool

Encrypting secrets before database storage — Protect API keys, tokens, or PII at rest
Secure inter-service communication — Encrypt payloads before sending over untrusted channels
Client-side encryption workflows — Encrypt data in your backend before returning to clients
Envelope encryption — Use a password-derived key as a data encryption key
Configuration encryption — Protect sensitive environment variables or config values
Compliance requirements — Meet encryption-at-rest mandates for GDPR, HIPAA, or SOC 2

Frequently Asked Questions

Should I use a key or a password?

Use a raw hex key when you manage keys externally (e.g., from a KMS or vault). Use a password when you want the API to handle key derivation automatically via PBKDF2 — simpler, but slightly slower due to the derivation step.

Why do I need to store the iv, tag, and salt?

AES-GCM requires the same IV and authentication tag for decryption. The salt is needed to re-derive the same key from your password. Without any of these, decryption will fail.

Is AES-256-GCM safe for large payloads?

Yes, AES-256-GCM is widely used in TLS, disk encryption, and cloud services. However, this endpoint is designed for string-sized payloads — for large file encryption, consider a streaming approach.

Can I provide both key and password?

No. The API returns a 400 error if both are provided. You must choose one key method per request.

Start using AES-256-GCM Encrypt now

Get your free API key and make your first request in under a minute.

Get Free API Key View Docs