JWT (JSON Web Token) regex
Three base64url-encoded segments separated by dots — the JWT shape.
^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/What it matches
A JWT is structurally three segments separated by dots: header, payload, signature, each base64url-encoded. This pattern just validates the shape. It does NOT validate that the signature is correct, that the token isn't expired, or that the claims are what you expect — use a JWT library for any of that.
Examples
Matches
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhYmMifQ.signatureThree dot-separated base64url segments — minimal valid shape.
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL3Rvb2xlZC5kZXYifQ.abc-_defReal-shape token with RSA header, issuer claim, and hyphen/underscore in the signature.
Does not match
abc.defOnly two segments.
abc.def.ghi.jklFour segments.
just-a-stringNo dots.
eyJ.has=padding.signatureStandard base64 padding (`=`) — base64url doesn't use it.
Edge cases & gotchas
- Doesn't validate the signature — anyone can forge a string of this shape. ALWAYS verify with the signing key before trusting any claims.
- Doesn't check expiration. The `exp` claim is inside the payload; decode and check it explicitly.
- Accepts unsigned tokens (`alg: none`) — the third segment is empty in those, which this pattern requires to be non-empty. To accept unsigned tokens, change the third group to `[A-Za-z0-9_-]*`.
- The `_` and `-` are intentional — JWT uses base64url (no `+`, `/`, or `=`). Standard base64 won't match.
In your language
// JavaScript
const re = /^[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+$/;
const match = "input".match(re);All 13 languages (including Bash, Perl, Kotlin, Swift) available in the full toolkit Export tab.
Notes for production
- Decode safely: in JS, `JSON.parse(atob(token.split('.')[1].replace(/-/g, '+').replace(/_/g, '/')))` decodes the payload. There are libraries that handle padding, errors, and verification.
- Use `jsonwebtoken` (Node) or `python-jose` (Python) for verification — they support all the standard algorithms and key formats.
Frequently asked
Does matching this regex mean the JWT is valid?
No — only that it has the right shape. A JWT is valid only if (1) the signature verifies against the issuer's key, (2) the token isn't expired, (3) the claims (`iss`, `aud`, `sub`) are what you expect.
How do I extract JWTs from HTTP headers?
Most are prefixed with `Bearer `. Match `/Bearer ([A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+)/` and grab capture group 1.
What's base64url and how is it different from base64?
Base64url replaces `+` with `-`, `/` with `_`, and drops the `=` padding so the result is URL-safe. JWT uses base64url specifically so tokens can travel in query strings and cookies without escaping.