Regex to Match JWT Tokens
Match JSON Web Tokens (JWT) with their three Base64url-encoded parts: header, payload, and signature separated by dots. Free online regex tester.
Regular Expression
/eyJ[A-Za-z0-9_-]*\.eyJ[A-Za-z0-9_-]*\.[A-Za-z0-9_-]+/g
Token Breakdown
| Token | Description |
|---|---|
| e | Matches the literal character 'e' |
| y | Matches the literal character 'y' |
| J | Matches the literal character 'J' |
| [A-Za-z0-9_-] | Character class — matches any one of: A-Za-z0-9_- |
| * | Matches the preceding element zero or more times (greedy) |
| \. | Matches a literal dot |
| e | Matches the literal character 'e' |
| y | Matches the literal character 'y' |
| J | Matches the literal character 'J' |
| [A-Za-z0-9_-] | Character class — matches any one of: A-Za-z0-9_- |
| * | Matches the preceding element zero or more times (greedy) |
| \. | Matches a literal dot |
| [A-Za-z0-9_-] | Character class — matches any one of: A-Za-z0-9_- |
| + | Matches the preceding element one or more times (greedy) |
Detailed Explanation
This regex matches JSON Web Tokens in their compact serialization format. Here is the token-by-token breakdown:
eyJ — Matches the literal characters eyJ which is the Base64url encoding of the opening characters of a JSON object {" that begins the JWT header. Every standard JWT header starts with these three characters because it is a JSON object beginning with a curly brace and a quote.
[A-Za-z0-9_-]* — Matches zero or more Base64url characters for the remainder of the header. The Base64url alphabet uses letters, digits, hyphens, and underscores (replacing the + and / of standard Base64).
. — Matches the literal dot separator between the header and payload sections. The dot is escaped because it is a regex metacharacter.
eyJ — Again matches eyJ for the payload section, which also begins as a JSON object with an opening brace and quote.
[A-Za-z0-9_-]* — Matches the remaining Base64url characters of the payload.
. — Matches the second literal dot separator between the payload and signature.
[A-Za-z0-9_-]+ — Matches one or more Base64url characters for the cryptographic signature. The signature is required (one or more characters) as a JWT without a signature is incomplete.
The g flag enables global matching. This pattern is useful for detecting JWTs in logs, configuration files, HTTP headers, and source code. It leverages the fact that JWT headers and payloads always start with eyJ to reduce false positives. This is commonly used in security auditing to find exposed tokens.
Example Test Strings
| Input | Expected |
|---|---|
| eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U | Match |
| not.a.jwt | No Match |
| eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJqb2UifQ.abc123_- | Match |
| random-string-here | No Match |
| Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.rz8 | Match |
Try It — Interactive Tester
Match Highlighting(3 matches)
Matches & Capture Groups
52 charsFlags: gMatches: 3Ctrl+Shift+C to copy regex
Related Regex Patterns
Regex to Match Base64 Encoded Strings
/^(?:[A-Za-z0-9+/]{4})*(?:[A-Za-z0-9+/]{2}==|[A-Za-z0-9+/]{3}=)?$/m
Regex to Match Bearer Token Authorization Headers
/Bearer\s+([A-Za-z0-9\-._~+/]+=*)/g
Regex to Match API Key Formats
/(?:sk|pk|api|key)[-_]?(?:live|test|prod|dev)?[-_]?[A-Za-z0-9]{16,64}/g
Regex to Match SHA-256 Hash Strings
/^[a-fA-F0-9]{64}$/