What does the SendGrid API Key regex match?

Matches a SendGrid API key: SG. prefix + 69 characters.

Is the SendGrid API Key regex ReDoS-safe?

Yes. The pattern uses a flat, non-backtracking structure with no nested quantifiers, making catastrophic backtracking impossible.

How do I use this regex in javascript?

// No imports required — RegExp is built into JavaScript const regex = /^SG\.[A-Za-z0-9_\-.]{30,100}$/; const isValid = regex.test(input);

Security/API Keys & Tokens

Verified Safe

SendGrid API Key Regex for JavaScript

/^SG\.[A-Za-z0-9_\-.]{30,100}$/

What this pattern does

This page provides a lightweight, single-purpose regular expression for matching sendgrid api key, ported and verified for JavaScript. In security-sensitive code, using an unverified regex can open the door to both false positives and denial-of-service attacks. The snippet below is ready to drop into your JavaScript project — whether you're validating in an Express middleware, a Next.js API route, or a client-side form.

Javascript Implementation

Javascript

// SendGrid API Key
// ReDoS-safe | RegexVault — Security > API Keys & Tokens

const sendgridApiKeyRegex = /^SG\.[A-Za-z0-9_\-.]{30,100}$/;

function validateSendgridApiKey(input: string): boolean {
  return sendgridApiKeyRegex.test(input);
}

// Example
console.log(validateSendgridApiKey("SG.aBcDeFgHiJkLmNoPqRsTuVw.aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789aBcDeFg")); // true

Test Cases

Matches (Valid)	Rejects (Invalid)
`SG.aBcDeFgHiJkLmNoPqRsTuVw.aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789aBcDeFg`	`SG.short.token`
—	`SG_aBcDeFgHiJkLmNoPqRsTuVw.aBcDeFgHiJkLmNoPqRsTuVwXyZ0123`
—	`sg.aBcDeFgHiJkLmNoPqRsTuVw.aBcDeFgHiJkLmNoPqRsTuVwXyZ0123456789aBcDeFg`

When to use this pattern

This pattern is drawn from the Security > API Keys & Tokens category and carries a ReDoS-safe certification. That matters for JavaScript developers because especially critical in long-running Node.js event loops where a ReDoS vulnerability can block the entire process. RegexVault audits patterns against known backtracking attack vectors, ensuring you have the necessary context before using this regex in a high-stakes production environment.

Common Pitfalls

A leaked full-access SendGrid key allows sending phishing emails from your verified domain. Scope API keys to the minimum required permissions. Use IP allowlisting for extra protection.

Technical Notes

SendGrid API keys: SG. + 22-char API key ID + . + 43-char token. Three-part structure, always 69 characters after the SG. prefix. Can be scoped to specific mail operations (send, read stats, manage contacts).

Have a pattern that belongs in the vault?

Submit it for review — community-verified patterns get credited to your GitHub handle. Free submissions join the queue. Priority review available for $15.

Submit a Pattern