What the Online Decrypter Does
Someone sent you an encrypted blob produced by the Microapp Text Encrypter. They told you the passphrase out-of-band (different channel than the ciphertext). The Online Decrypter takes the blob plus the passphrase and gives you back the original message. The decryption runs entirely in your browser using AES-256-GCM and the same PBKDF2 key-stretching the encrypter used.
The two tools form a complete pair: anything encrypted by Text Encrypter decrypts here with the right passphrase, and only here (or in a custom client speaking the same format). The pairing is the point — the magic header at the start of the ciphertext signals to the decrypter what format to expect.
How the Microapp Online Decrypter Works
Paste the encrypted text (the base64 blob) into the first box. Enter the passphrase. Click Decrypt. The plaintext appears in green if successful; an error message appears if something failed.
Decryption is authenticated, which is the most important property. If the passphrase is wrong, decryption fails with a clear "wrong passphrase or tampered text" error — never garbled output. If the ciphertext was modified by even one bit in transit (corrupted by a misbehaving email client, accidentally truncated, deliberately tampered with), decryption fails the same way. Authenticated encryption means you never silently get corrupted plaintext.
TUFQUDEAAAB… from a colleague, and they SMS you the passphrase ravenwolf-37-blue. Paste both. The decrypter unpacks the salt and IV from the blob's header, derives the AES key from your passphrase using the embedded salt, runs AES-256-GCM decrypt + verify, and shows you: The package is at 4 PM. Same plaintext the encrypter started with. Round-trip safe.
Why "Authentication Failed" Is Useful
Naive encryption (older modes like CBC without authentication) gives you garbled plaintext when the wrong key is used or the ciphertext was modified. AES-GCM is different: the algorithm computes a 16-byte authentication tag during encryption that depends on every byte of input. Decryption verifies that tag before producing any output. If anything has changed — wrong key, modified ciphertext, even a single bit flip — the tag check fails and decryption returns nothing.
This means you can trust that successful decryption produced the original plaintext, not a corrupted version. There's no "did this come through cleanly?" doubt. Either it decrypts (and you have the real message) or it errors (and you know to retry).
Why Won't a Generic "AES Decrypt" Tool Work?
Because the format isn't standardized. Every encryption tool packages its output differently: some embed the salt, some don't; some use 12-byte IVs, some 16; some use PBKDF2 with 100k iterations, some 250k, some scrypt or Argon2 instead. To decrypt successfully, the decrypter must know the exact same parameters the encrypter used.
The Microapp encrypter uses: PBKDF2-HMAC-SHA256 with 250,000 iterations, 16-byte salt, AES-256-GCM with 12-byte IV, custom 8-byte magic header. The decrypter knows this because they're paired tools. A generic "AES decrypt" tool would have to guess all those parameters and would fail on each one.
Pairing These with Other Encryption Tools
OpenSSL output. Use OpenSSL to decrypt. Different format (Salted__ header, different KDF). Not compatible.
GPG output. Use GPG. Different format (PGP message format, different KDF). Not compatible.
Age output. Use age. Different format (X25519 key exchange, ChaCha20-Poly1305). Not compatible.
Microapp Text Encrypter output. Use this Online Decrypter. Same format. Compatible.
Common Failure Modes
Wrong passphrase. By far the most common cause. Double-check case (P vs p), special characters (- vs _), and whether you accidentally added a trailing space when copying.
Truncated ciphertext. If the encrypted text was sent via a chat that wraps lines or strips characters at the end, it might be incomplete. Have the sender re-send the entire string.
Whitespace inside the base64. Some email clients add line breaks every 76 characters. The decrypter strips whitespace automatically, so this usually isn't an issue. If decryption still fails, try copying into a plain text editor first to see what's actually there.
Wrong format entirely. If you're trying to decrypt OpenSSL or GPG output here, the magic header check fails immediately with a "wrong format" error. Use the appropriate tool for that format.
What If I've Lost the Passphrase?
The message is unrecoverable. Period. There's no backdoor, no key recovery service, no "forgot passphrase" link. AES-256 is brute-force-impractical on any current or near-future hardware; PBKDF2-250k makes even reasonable-but-not-perfect passphrases survive years of attacker effort.
That's by design — encryption with a recovery mechanism would also have a backdoor for attackers. The price of true confidentiality is no recovery. Don't encrypt the only copy of important data, ever.
Privacy Architecture
The decryption flow runs entirely in your browser. The Web Crypto API does the heavy lifting (AES-GCM, HMAC); the bcryptjs-style PBKDF2 derivation is also browser-native. There is no server we control that ever sees your encrypted text or your passphrase. We log nothing, store nothing, send nothing.
If you want to verify, open browser dev tools → Network tab → run the decryption. You'll see zero requests fired. The page stays static; the crypto happens in your tab.
Related Tools
For encrypting (the other half of this pair), use the Text Encrypter. To hash passwords for server-side storage (a different problem), see the Bcrypt Generator. For Base64 encoding/decoding (the encoding format the encrypted text uses), see the Base64 Encoder/Decoder. For one-way hashes that verify integrity, the SHA-256 Generator is the right tool.