xtract.bot

POST /api/aes-gcm-encrypt3 quota units per call · cache hits free

Authenticated encryption with AES-128/192/256 in Galois/Counter Mode. Provide a raw key or a password (PBKDF2-stretched in-line). Returns IV + ciphertext + auth tag, all base64-encoded.

Authenticated symmetric encryption with AES-GCM (Web Crypto). Authenticated = ciphertext can't be tampered without the auth tag failing on decrypt — defends against both confidentiality *and* integrity attacks. Two key modes: - `keyMode="raw"` — supply `key` as hex / base64 (128, 192, or 256 bits exactly). - `keyMode="password"` — supply `password` + `salt`; the tool PBKDF2-stretches them (SHA-256, 600 000 rounds, 256-bit) to derive the AES key. Inputs can be UTF-8 text, hex, or base64. The IV is generated randomly (12 bytes — NIST-recommended) unless `iv` is supplied. **Output:** JSON with `ciphertext`, `iv`, `tag`, `keyMode`, and `algorithm`. With `keyMode=password`, the response also echoes the salt + iteration count so the recipient can rederive the key.

Inputs

NameTypeDefaultDescription
data*stringPlaintext to encrypt.
dataFormatenum (text | hex | base64)"text"Input encoding of `data`.
keyModeenum (raw | password)"raw"Whether `key` is the raw AES key or a password to stretch via PBKDF2.
keystringRaw key (16/24/32 bytes as hex/base64). Required when keyMode=raw.
keyFormatenum (hex | base64)"hex"Encoding of raw `key`.
passwordstringPassword to stretch (required when keyMode=password).
saltstringSalt for PBKDF2 (required when keyMode=password). UTF-8 by default; hex/base64 via saltFormat.
saltFormatenum (text | hex | base64)"text"Encoding of `salt`.
iterationsnumber (1000…10000000)600000PBKDF2 iterations (keyMode=password only).
keyBitsnumber (128…256)256AES key length in bits (128, 192, 256).
ivstringOptional explicit IV (12 bytes, hex/base64). Random if omitted.
ivFormatenum (hex | base64)"hex"Encoding of `iv` when supplied.
aadstringOptional additional authenticated data (AAD).
aadFormatenum (text | hex | base64)"text"Encoding of `aad`.

Response

Modes: json. Cache: not cacheable.

Every response carries x-cache (HIT / MISS / BYPASS), x-cache-signature (stable across identical inputs), and the rate-limit headers listed below.

Quota & limits

Cost per call3 units against the 10,000-unit monthly quota. Cache hits are free — only cache misses decrement.
Burst limit200 requests per rolling minute, shared across all tools.
Max request size4 MiB (base64 inflates file payloads ~33% — the limit applies to the decoded bytes).
Max response size6 MiB
Timeout30s wall clock.
Rate-limit headersX-RateLimit-Limit, X-RateLimit-Remaining, X-RateLimit-Burst-Limit on every response; X-Quota-Warning once 80% of the monthly quota is spent; Retry-After on 429s.

Errors

Errors are JSON with an error string; schema failures add a details object (Zod's flattened field errors).

StatusWhenBody
400Input fails the tool's schema (wrong type, missing required field, malformed base64) or the file bytes can't be parsed as the expected format.{ "error": "invalid inputs", "details": { "fieldErrors": { … } } }
401Missing or invalid X-Api-Key / X-Account-Id headers (or no session when called from the browser).{ "error": "unauthorized" }
404Unknown tool id, or calling /api/* on the website hostname instead of api.xtract.bot.{ "error": "not found" }
413Request body over the tool's max request size, or an image header declaring more megapixels than the tool's pixel budget.{ "error": "…exceeds maxRequestBytes…" }
415Content-Type isn't application/json on the json-body transport.{ "error": "unsupported content-type; expected application/json" }
429Monthly quota or the 200/min burst limit exhausted. Check Retry-After and the X-RateLimit-* headers.{ "error": "monthly quota exceeded", "monthRemaining": 0, … }
5xxConversion engine failure. Safe to retry; if it persists, the input is hitting a bug — please report it.{ "error": "…" }

Code samples

Built from the password-mode example.


curl -X POST https://api.xtract.bot/api/aes-gcm-encrypt \
  -H "Content-Type: application/json" \
  -H "Accept: application/json" \
  -H "X-Account-Id: $XTRACT_ACCOUNT_ID" \
  -H "X-Api-Key: $XTRACT_API_KEY" \
  -d '{
  "data": "the eagle has landed",
  "keyMode": "password",
  "password": "correct horse battery staple",
  "salt": "xtract.bot-demo",
  "iterations": 100000,
  "keyBits": 256
}'