Regex for matching JSON Web Tokens (JWT)

Match three base64url-encoded segments separated by dots.

intermediate javascript / pcre / python4 use cases

The pattern

[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]*

Test cases

Input	Result
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.signaturepart	✓matches
one.dot	✗rejects
four.dots.in.token	✗rejects

Edge cases & caveats

Doesn't validate signature or check expiry — format only. NEVER log JWTs at info level (PII risk). Strip JWTs from logs with replacement: `\b[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\.[A-Za-z0-9_-]+\b` → `<JWT>`.

Common use cases

log redaction
auth header validation
token leakage detection
test fixture cleanup

Try variations against your data

regexlab is a free in-browser tester with side-by-side match highlighting, group inspector, and named-capture export to JS/Python/PCRE.

Open regexlab

hashtag · uuid · uk postcode · image src in html

Regex for matching JSON Web Tokens (JWT)

The pattern

Test cases

Edge cases & caveats

Common use cases

Related