JWT (JSON Web Token) Regex
Checks that a string has the three-part, dot-separated base64url shape of a JSON Web Token (header.payload.signature) without decoding or verifying the signature.
Regex Pattern
^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$Pattern Breakdown
Hover over a token to see what it does.
| Token | Meaning |
|---|---|
| ^ | Anchors the match to the start of the string |
| [A-Za-z0-9_-]+ | One or more base64url characters making up a token segment (repeated for each of the 3 parts) |
| A-Z | Uppercase letters allowed in base64url encoding |
| a-z | Lowercase letters allowed in base64url encoding |
| \. | Literal dot separating the header, payload, and signature segments |
| $ | Anchors the match to the end of the string |
Detailed Explanation
What it does
This pattern verifies that a string is shaped like a JWT: three base64url-encoded segments (header, payload, signature) separated by two literal dots, with no extra dots or invalid characters. It does not decode the segments or validate the cryptographic signature.
Why it works
Base64url encoding only produces letters, digits, hyphens, and underscores, so [A-Za-z0-9_-]+ safely matches any well-formed segment. Because the group is repeated exactly three times with literal \. separators and the whole pattern is anchored with ^ and $, any string with too few or too many segments, or with characters outside the base64url alphabet, fails to match.
Common use cases
- Quickly checking whether a string extracted from an Authorization header looks like a JWT before attempting to decode it
- Filtering log output or request bodies to redact or flag JWT-shaped strings
- Client-side sanity checks before sending a token to an API
- Writing test fixtures or linters that assert a value looks like a JWT
Edge cases
- Expired or tampered tokens still match, since this regex never inspects the decoded content or signature
- A token with an empty segment, such as abc..def, correctly fails because + requires at least one character
- Tokens using standard base64 (with + / = characters) instead of base64url will not match and are correctly rejected
- Extremely long tokens with large payloads still match as long as the shape is correct, since + is unbounded
Limitations
- Does not verify the signature, so a shape match is not proof the token is authentic or untampered
- Does not check that the header or payload segments decode to valid JSON
- Does not validate claims such as exp, iss, or aud — that requires a real JWT library
- Cannot distinguish between JWS and JWE tokens beyond the basic three-segment shape
Interactive Tester
Edit the pattern or text below — matching runs live in your browser.
Test Cases
Editable — add your own inputs to see if they pass.
| Input | Expected | Result | |
|---|---|---|---|
| Pass | |||
| Pass | |||
| Pass | |||
| Pass | |||
| Pass | |||
| Pass | |||
| Pass | |||
| Pass |
Language Variants
Production-ready examples in 12 languages.
const jwtRegex = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
console.log(jwtRegex.test(token));Common Mistakes
Assuming a regex match means the token is valid and safe to trust
Fix: Always verify the signature with a proper JWT library (e.g. jsonwebtoken, PyJWT) using the correct secret or public key before trusting any claims
Using a character class that allows standard base64 characters (+, /, =) instead of base64url
Fix: Restrict the class to [A-Za-z0-9_-] since JWTs use base64url encoding, which replaces + and / and omits padding
Forgetting that JWTs can be very long, and accidentally truncating or bounding the segment length
Fix: Leave the quantifier unbounded (+) rather than capping segment length, since payload size varies widely
Performance Notes
- Each [A-Za-z0-9_-]+ segment is a simple, non-overlapping character class, so matching is linear and safe from catastrophic backtracking
- Anchoring with ^ and $ avoids wasted work scanning for a match inside a larger string
- For high-throughput auth middleware, prefer this cheap shape check to short-circuit obviously malformed tokens before paying the cost of full signature verification
Browser Compatibility
| Engine | Supported | Notes |
|---|---|---|
| Chrome | Yes | — |
| Firefox | Yes | — |
| Safari | Yes | — |
| Edge | Yes | — |
| Node.js | Yes | — |