Authenticated Prompts
Prompts are signed and tracked through derivation chains. As prompts evolve in the system, permissions can only narrow—never expand. This provides defense against prompt injection and enables forensic analysis of any output.
The Prompt Injection Problem
Prompt injection is the #1 vulnerability in AI systems (OWASP LLM01). Attackers embed malicious instructions in user inputs or retrieved data, hijacking the LLM's behavior.
Without authenticated prompts, there's no way to distinguish legitimate instructions from injected ones—they're all just text to the LLM.
Attack Example
User uploads a document containing:
Lineage Tracking
Every Authenticated Prompt maintains a cryptographic lineage—a chain of derivation that traces back to its origin. This enables tamper-evidence and forensic analysis.
When a prompt is created:
- •If no active context, it becomes a ROOT prompt
- •Otherwise, it DERIVES from the current prompt
- •The derivation chain is signed and immutable
{
"prompt_id": "prompt:12345",
"parent_id": "prompt:12344",
"root_id": "prompt:system-base",
"derivation_depth": 3,
"content": "Focus on APAC region...",
"policy": {
"resources": ["data:sales/*"],
"denied_resources": ["data:hr/*"]
},
"signature": "ed25519:..."
}parent_id
Reference to the immediate parent prompt from which this was derived.
root_id
Reference to the original root prompt. Root policies are absolute.
derivation_depth
Number of derivations from root. Can be bounded by policy for safety.
Monotonic Restriction
The key security property: derived prompts can only add restrictions, never relax them. This is enforced cryptographically and prevents privilege escalation.
Theorem: For any prompt derivation P → P', the permissions of P' are a subset of P. Formally: resources(P') ⊆ resources(P) anddenied_resources(P') ⊇ denied_resources(P).
| Property | Guarantee |
|---|---|
| Transitive denial | Once a resource is denied, it remains denied through all derivations |
| No privilege escalation | A derived prompt cannot grant access denied by any ancestor |
| Bounded derivation | Derivation depth limits are enforced cryptographically |
| Tamper evidence | Any modification to the chain invalidates signatures |
Integration
Create authenticated prompts with the MACAWClient. The SDK handles signing and lineage tracking automatically.
Use switch_prompt() to manage multiple prompt contexts (e.g., different user sessions).
from macaw_client import MACAWClient
client = MACAWClient(app_name="analyst")
client.register()
# Create a root prompt
root = client.create_authenticated_prompt(
"Analyze Q4 financials",
metadata={"source": "cfo"}
)
# Derive a more restricted prompt
# (automatically inherits and narrows root's policy)
refined = client.create_authenticated_prompt(
"Focus on APAC expenses"
)
# refined.parent_id == root.prompt_id
# Switch between prompt contexts
client.switch_prompt(root.prompt_id)Preventing Prompt Injection
Authenticated Prompts distinguish trusted instructions from untrusted data:
- 1System prompts are signed with your key
- 2User inputs marked as untrusted data
- 3Retrieved content carries source attestation
- 4Only signed instructions are followed
Signed with your key. LLM follows these as commands.
Treated as data. Injection attempts are blocked.
Carries source provenance. Policy-controlled.