/^/
MediumSecurity5 min read

JWT (JSON Web Token) Regex

Checks that a string has the three-part, dot-separated base64url shape of a JSON Web Token (header.payload.signature) without decoding or verifying the signature.

#jwt#token#security#authentication#base64url#json-web-token

Regex Pattern

^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$

Pattern Breakdown

Hover over a token to see what it does.

^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$
TokenMeaning
^Anchors the match to the start of the string
[A-Za-z0-9_-]+One or more base64url characters making up a token segment (repeated for each of the 3 parts)
A-ZUppercase letters allowed in base64url encoding
a-zLowercase letters allowed in base64url encoding
\.Literal dot separating the header, payload, and signature segments
$Anchors the match to the end of the string

Detailed Explanation

What it does

This pattern verifies that a string is shaped like a JWT: three base64url-encoded segments (header, payload, signature) separated by two literal dots, with no extra dots or invalid characters. It does not decode the segments or validate the cryptographic signature.

Why it works

Base64url encoding only produces letters, digits, hyphens, and underscores, so [A-Za-z0-9_-]+ safely matches any well-formed segment. Because the group is repeated exactly three times with literal \. separators and the whole pattern is anchored with ^ and $, any string with too few or too many segments, or with characters outside the base64url alphabet, fails to match.

Common use cases

  • Quickly checking whether a string extracted from an Authorization header looks like a JWT before attempting to decode it
  • Filtering log output or request bodies to redact or flag JWT-shaped strings
  • Client-side sanity checks before sending a token to an API
  • Writing test fixtures or linters that assert a value looks like a JWT

Edge cases

  • Expired or tampered tokens still match, since this regex never inspects the decoded content or signature
  • A token with an empty segment, such as abc..def, correctly fails because + requires at least one character
  • Tokens using standard base64 (with + / = characters) instead of base64url will not match and are correctly rejected
  • Extremely long tokens with large payloads still match as long as the shape is correct, since + is unbounded

Limitations

  • Does not verify the signature, so a shape match is not proof the token is authentic or untampered
  • Does not check that the header or payload segments decode to valid JSON
  • Does not validate claims such as exp, iss, or aud — that requires a real JWT library
  • Cannot distinguish between JWS and JWE tokens beyond the basic three-segment shape

Interactive Tester

Edit the pattern or text below — matching runs live in your browser.

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c a.b.c header.payload.signature

Test Cases

Editable — add your own inputs to see if they pass.

InputExpectedResult
Pass
Pass
Pass
Pass
Pass
Pass
Pass
Pass

Language Variants

Production-ready examples in 12 languages.

const jwtRegex = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
console.log(jwtRegex.test(token));

Common Mistakes

Assuming a regex match means the token is valid and safe to trust

Fix: Always verify the signature with a proper JWT library (e.g. jsonwebtoken, PyJWT) using the correct secret or public key before trusting any claims

Using a character class that allows standard base64 characters (+, /, =) instead of base64url

Fix: Restrict the class to [A-Za-z0-9_-] since JWTs use base64url encoding, which replaces + and / and omits padding

Forgetting that JWTs can be very long, and accidentally truncating or bounding the segment length

Fix: Leave the quantifier unbounded (+) rather than capping segment length, since payload size varies widely

Performance Notes

  • Each [A-Za-z0-9_-]+ segment is a simple, non-overlapping character class, so matching is linear and safe from catastrophic backtracking
  • Anchoring with ^ and $ avoids wasted work scanning for a match inside a larger string
  • For high-throughput auth middleware, prefer this cheap shape check to short-circuit obviously malformed tokens before paying the cost of full signature verification

Browser Compatibility

EngineSupportedNotes
ChromeYes
FirefoxYes
SafariYes
EdgeYes
Node.jsYes