Skip to content
BEAD

AES Encrypt / Decrypt

Encrypt or decrypt text with AES-GCM, deriving a key from a passphrase via PBKDF2 — all in your browser.

🔒 Encryption happens with SubtleCrypto in your browser. Passphrases never leave the device.

</>Use this tool programmaticallycurl · JavaScript · MCP

Same tool, callable from any HTTP client or from Claude (via MCP). Anonymous: 100 req/day per IP. Sign up for 1,000 req/day.

curl
curl https://api.b-e-a-d.com/tools/aes-encrypt-decrypt/run \
  -H "Content-Type: application/json" \
  -d '{
  "mode": "encrypt",
  "passphrase": "a",
  "input": "your input here"
}'
JavaScript (fetch)
const res = await fetch("https://api.b-e-a-d.com/tools/aes-encrypt-decrypt/run", {
  method: "POST",
  headers: { "Content-Type": "application/json" },
  body: JSON.stringify({
  "mode": "encrypt",
  "passphrase": "a",
  "input": "your input here"
}),
});
const data = await res.json();
console.log(data.result);
MCP (Claude Desktop / Claude Code)
# In Claude Desktop / Claude Code, add to your MCP config:
{
  "mcpServers": {
    "bead": {
      "command": "npx",
      "args": ["-y", "mcp-remote", "https://mcp.b-e-a-d.com"]
    }
  }
}

# Then ask Claude to call:
mcp__bead__bead_aes_encrypt_decrypt

Full reference: developer docs · OpenAPI spec

How it works

The passphrase is stretched with PBKDF2-SHA-256 (600,000 iterations) over a random 16-byte salt to derive a 256-bit AES key. Plaintext is encrypted with AES-GCM using a fresh 12-byte IV. Output is salt (16) ‖ iv (12) ‖ ciphertext+tag, Base64-encoded.

All of that happens in the browser via SubtleCrypto. The passphrase and plaintext never touch BEAD's servers.

Heads-up: a strong passphrase still matters. If you can guess it, an attacker can too. Use a generator — the password generator works well for this.

You might also like