What does the OpenID Connect ID Token (JWT) regex match?

Matches an OIDC ID token — same structure as JWT (sec-api-02) but with semantic context.

Is the OpenID Connect ID Token (JWT) regex ReDoS-safe?

Yes. Verified through static analysis: no ambiguous alternations or nested quantifiers that could trigger exponential backtracking.

How do I use this regex in javascript?

// No imports required — RegExp is built into JavaScript const regex = /^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]*)$/; const isValid = regex.test(input);

Security/OAuth & OIDC

Verified Safe

OpenID Connect ID Token (JWT) Regex for JavaScript

/^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]*)$/

What this pattern does

This page provides a well-structured, multi-part regular expression for matching openid connect id token (jwt), ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// OpenID Connect ID Token (JWT)
// ReDoS-safe | RegexVault — Security > OAuth & OIDC

const openidConnectIdTokenJwtRegex = /^([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]+)\.([A-Za-z0-9_-]*)$/;

function validateOpenidConnectIdTokenJwt(input: string): boolean {
  return openidConnectIdTokenJwtRegex.test(input);
}

// Example
console.log(validateOpenidConnectIdTokenJwt("eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiYXVkIjoiY2xpZW50XzEifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwiYXVkIjoiY2xpZW50XzEifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c`	`not.a.jwt.at.all.here`
—	`two.parts`

When to use this pattern

This pattern is drawn from the Security > OAuth & OIDC category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

The most dangerous OIDC mistake is failing to validate the audience (aud) claim — an ID token issued for App A must not be accepted by App B. Validate aud strictly against your client_id.

Technical Notes

OIDC ID tokens are JWTs with specific required claims: iss (issuer), sub (subject), aud (audience), exp (expiry), iat (issued at). Always validate: 1) signature, 2) iss matches expected provider, 3) aud matches client_id, 4) exp is in the future, 5) nonce (if used). Never trust an ID token without validation.

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern