Securityflags: g

JWT Token

Match JSON Web Tokens (JWTs) — three base64url-encoded segments separated by dots.

Try it in RegexPro →

Available in

JSSupported

JavaScript / ECMAScript

Browser-native RegExp. Default if you don't pick.

PYSupported

Python (re)

CPython stdlib `re`. Unicode-aware `\w` and `\d` by default.

GOSupported

Go (RE2)

Linear-time matching. No backreferences or lookarounds.

Pattern

regexengine-agnostic
eyJ[A-Za-z0-9_\-]+\.eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+   (flags: g)

Raw source: eyJ[A-Za-z0-9_\-]+\.eyJ[A-Za-z0-9_\-]+\.[A-Za-z0-9_\-]+

How it works

Both header and payload segments start with eyJ (base64 of '{"'), followed by base64url chars, joined by dots and followed by the signature segment.

Examples

Input

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.abc123-_

Matches

  • eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxIn0.abc123-_

Input

Bearer token-here

No match

Common use cases

  • Detecting JWTs in log files for redaction
  • Extracting tokens from Authorization headers
  • Secret scanning in source code
  • Request tracing and debugging

Related patterns

GitHub Personal Access Token

Security

Match GitHub Personal Access Tokens (classic + fine-grained) and OAuth tokens by their `ghX_` prefix.

Bearer Token (Authorization Header)

Security

Match Bearer token values from HTTP Authorization headers, capturing the raw token string.

Generic API Key

Security

Match generic long alphanumeric tokens (32+ chars) typical of API keys and access tokens.

PEM Certificate Block

Security

Match PEM-encoded certificate and key blocks, capturing the block type and base64 content.

PreviousISO 8601 Date-Time
All patterns
NextGeneric API Key