Loading Laravel Decryptor...
Decrypt Laravel encrypted values and cookies produced by Crypt::encrypt using your APP_KEY. Supports AES-256/128-CBC with HMAC and AES-GCM. Runs entirely in your browser.
Laravel encrypts data with the Crypt facade (Illuminate\Encryption\Encrypter), keyed by the APP_KEY in your .env file. The output is a base64-encoded JSON object containing the IV, the ciphertext value and an authentication tag. This tool reproduces Laravel's decryption locally: paste an encrypted value or cookie plus your APP_KEY and it recovers the plaintext in your browser, for debugging, forensics and authorized recovery on applications you control.
Input:
eyJpdiI6Ii4uLiIsInZhbHVlIjoiLi4uIiwibWFjIjoiLi4uIn0= + base64:APP_KEY
Output:
my secret value
Where is the APP_KEY?
In your Laravel project's .env file as APP_KEY=base64:.... It is the symmetric key used for all Crypt operations.
Which ciphers are supported?
AES-256-CBC and AES-128-CBC (with HMAC-SHA256), plus AES-256-GCM and AES-128-GCM. Pick the one configured in config/app.php.
What does MAC verified mean?
For CBC payloads Laravel stores an HMAC. A valid MAC means the value is authentic and the key is correct; a mismatch means a wrong key or tampered data.
Is anything uploaded?
No. The token and APP_KEY are processed entirely in your browser using the Web Crypto API.
Decrypt values produced by Laravel's Crypt::encrypt or encrypted cookies using your APP_KEY. Everything runs in your browser - nothing is uploaded.
Laravel payloads are base64-encoded JSON with iv, value and either a mac (AES-CBC + HMAC-SHA256) or tag (AES-GCM). The APP_KEY from your .env is the symmetric key. CBC values are authenticated by recomputing HMAC-SHA256 over the base64 iv and value. PHP-serialized scalar strings are unwrapped automatically.