Argon2 Hash (Argon2i, Argon2d, Argon2id) Regex for JavaScript

What this pattern does

This page provides a comprehensive, battle-tested regular expression for matching argon2 hash (argon2i, argon2d, argon2id), ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

// Argon2 Hash (Argon2i, Argon2d, Argon2id)
// ReDoS-safe | RegexVault — Security > Password Formats

const argon2HashArgon2iArgon2dArgon2idRegex = /^\$(argon2(?:i|d|id))\$v=19\$m=([0-9]+),t=([0-9]+),p=([0-9]+)(?:,keyid=[A-Za-z0-9+\/]{0,11}(?:=*))?(?:,data=[A-Za-z0-9+\/]{0,43}(?:=*))?\$([A-Za-z0-9+\/]{11,64}(?:={0,2}))\$([A-Za-z0-9+\/]{16,86}(?:={0,2}))$/;

function validateArgon2HashArgon2iArgon2dArgon2id(input: string): boolean {
  return argon2HashArgon2iArgon2dArgon2idRegex.test(input);
}

// Example
console.log(validateArgon2HashArgon2iArgon2dArgon2id("$argon2id$v=19$m=65536,t=2,p=1$c29tZXNhbHQ$RdescudvJCsgt3ub+b+dWRWJTmaaJObG")); // true

Test Cases

When to use this pattern

This pattern is drawn from the Security > Password Formats category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Technical Notes

Argon2id is the recommended variant (memory-hard + side-channel resistant). Parameters: m=memory in KiB, t=time iterations, p=parallelism. OWASP recommends argon2id with m=19456 (19 MiB), t=2, p=1 as minimum. v=19 is the current version.