What does the JSON Web Token (JWT) — Structure Validation regex match?

Matches a JWT string: three base64url-encoded segments separated by dots.

Is the JSON Web Token (JWT) — Structure Validation regex ReDoS-safe?

Yes. Verified through static analysis: no ambiguous alternations or nested quantifiers that could trigger exponential backtracking.

How do I use this regex in php?

// No imports required — PCRE is built into PHP $pattern = '/^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)$/'; $is_valid = (bool) preg_match($pattern, $input);

Security/API Keys & Tokens

Verified Safe

JSON Web Token (JWT) — Structure Validation Regex for PHP

/^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)$/

What this pattern does

This page provides a well-structured, multi-part regular expression for matching json web token (jwt) — structure validation, ported and verified for PHP. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your PHP project — whether you're validating in a Laravel validator, a WordPress plugin, or a standalone PHP script.

Php Implementation

Php

<?php
// JSON Web Token (JWT) — Structure Validation
// ReDoS-safe | RegexVault — Security > API Keys & Tokens

define('JSON_WEB_TOKEN_JWT_STRUCTURE_VALIDATION_PATTERN', '/^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)$/');

function validate_json_web_token_jwt_structure_validation(string $input): bool {
    return (bool) preg_match(JSON_WEB_TOKEN_JWT_STRUCTURE_VALIDATION_PATTERN, $input);
}

// Example
var_dump(validate_json_web_token_jwt_structure_validation("eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c")); // bool(true)

Test Cases

Matches (Valid)	Rejects (Invalid)
`eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c`	`eyJhbGci.eyJzdWI.sig.extra`
`header.payload.signature`	`eyJhbGci.eyJzdWI`
`aaa.bbb.ccc`	`not.a.jwt.at.all.here`
—	`a.b.`

When to use this pattern

This pattern is drawn from the Security > API Keys & Tokens category and carries a ReDoS-safe certification. That matters for PHP developers because especially relevant in PHP where PCRE backtracking limits can trigger silent failures on malicious input. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Never trust a JWT whose signature you have not verified. The 'alg: none' attack bypasses signature verification. Never accept tokens with algorithm 'none'. Validate expiry (exp claim) — expired tokens must be rejected.

Technical Notes

Structure only — does not validate header algorithm, payload claims, expiry, or signature. Three segments: header (base64url) + payload (base64url) + signature (base64url, may be empty for 'none' algorithm — always reject 'none'). Capture groups: 1=header, 2=payload, 3=signature.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern