GitHub Personal Access Token (Classic & Fine-Grained) Regex for JavaScript

What this pattern does

This page provides a well-structured, multi-part regular expression for matching github personal access token (classic & fine-grained), ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

// GitHub Personal Access Token (Classic & Fine-Grained)
// ReDoS-safe | RegexVault — Security > API Keys & Tokens

const githubPersonalAccessTokenClassicFinegrainedRegex = /^(ghp_|gho_|ghs_|ghr_|github_pat_)[A-Za-z0-9_]{20,80}$/;

function validateGithubPersonalAccessTokenClassicFinegrained(input: string): boolean {
  return githubPersonalAccessTokenClassicFinegrainedRegex.test(input);
}

// Example
console.log(validateGithubPersonalAccessTokenClassicFinegrained("ghp_aBcDeFgHiJkLmNoPqRsTuVwXyZ012345")); // true

Test Cases

When to use this pattern

This pattern is drawn from the Security > API Keys & Tokens category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Technical Notes

GitHub token prefixes: ghp_=personal access token (classic), gho_=OAuth token, ghs_=GitHub App installation token, ghr_=refresh token, github_pat_=fine-grained PAT (newer format). Fine-grained PATs are scoped to specific repos and operations.