What does the OAuth 2.0 Authorization Code regex match?

Matches an OAuth 2.0 authorization code: short-lived, typically 32-64 alphanumeric characters.

Is the OAuth 2.0 Authorization Code regex ReDoS-safe?

Yes. The pattern uses a flat, non-backtracking structure with no nested quantifiers, making catastrophic backtracking impossible.

How do I use this regex in php?

// No imports required — PCRE is built into PHP $pattern = '/^[A-Za-z0-9\-\/_]{20,64}$/'; $is_valid = (bool) preg_match($pattern, $input);

Security/OAuth & OIDC

Verified Safe

OAuth 2.0 Authorization Code Regex for PHP

/^[A-Za-z0-9\-/_]{20,64}$/

What this pattern does

This page provides a lightweight, single-purpose regular expression for matching oauth 2.0 authorization code, ported and verified for PHP. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your PHP project — whether you're validating in a Laravel validator, a WordPress plugin, or a standalone PHP script.

Php Implementation

Php

<?php
// OAuth 2.0 Authorization Code
// ReDoS-safe | RegexVault — Security > OAuth & OIDC

define('OAUTH_20_AUTHORIZATION_CODE_PATTERN', '/^[A-Za-z0-9\-\/_]{20,64}$/');

function validate_oauth_20_authorization_code(string $input): bool {
    return (bool) preg_match(OAUTH_20_AUTHORIZATION_CODE_PATTERN, $input);
}

// Example
var_dump(validate_oauth_20_authorization_code("4/0AY0e-g7aBcDeFgHiJkLmNoPqRsTuVwXyZ01")); // bool(true)

Test Cases

Matches (Valid)	Rejects (Invalid)
`4/0AY0e-g7aBcDeFgHiJkLmNoPqRsTuVwXyZ01`	`short`
`aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789`	`code with spaces`
—	`code!@#$%^`

When to use this pattern

This pattern is drawn from the Security > OAuth & OIDC category and carries a ReDoS-safe certification. That matters for PHP developers because especially relevant in PHP where PCRE backtracking limits can trigger silent failures on malicious input. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

Authorization codes in redirect URIs may be logged by load balancers, CDNs, or proxy servers that log full URLs. Ensure auth callback URLs are excluded from access logging.

Technical Notes

Authorization codes are single-use and short-lived (typically 5-10 minutes). RFC 6749 does not specify the format — implementation-specific. Codes appear in the redirect URI as ?code=VALUE and must be exchanged immediately for an access token.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern