Token smuggling is an adversarial technique that hides malicious instructions by exploiting the gap between a security filter's text-based pattern matching and the language model's subword tokenization process. Attackers construct strings where dangerous commands are fragmented across token boundaries, rendering them invisible to regex-based sanitization while the model's tokenizer reassembles the malicious payload during inference.
Glossary
Token Smuggling

What is Token Smuggling?
Token smuggling is a sophisticated prompt injection technique that exploits discrepancies in how text is tokenized to conceal malicious commands within strings that appear benign to input sanitization filters.
This attack leverages the fact that many input filters operate on raw characters or whitespace-delimited words, but models process text as token IDs. By carefully selecting words that share overlapping token representations with blocked terms, an attacker can bypass keyword blocklists. Defending against token smuggling requires canonicalization of inputs and applying safety classifiers directly to the tokenized sequence rather than the pre-tokenized text string.
Common Token Smuggling Attack Vectors
Token smuggling exploits discrepancies between how input sanitizers and language models parse text into tokens, allowing malicious commands to bypass detection by hiding within seemingly benign token sequences.
Unicode Normalization Bypass
Attackers exploit differences in Unicode normalization forms (NFC vs NFD) to hide malicious instructions. A string that appears safe after sanitizer normalization may decompose into dangerous tokens when the model's tokenizer processes it.
- Mechanism: The sanitizer normalizes to NFC, but the tokenizer reads raw bytes or a different form
- Example: A combined character like
é(single codepoint) passes sanitization, but the tokenizer splits it intoe+´, altering downstream token boundaries - Impact: Commands like
IGNORE_PREVIOUScan be reconstructed from fragments that individually appear harmless
Whitespace Token Boundary Manipulation
Tokenizers often treat whitespace as a prefix indicator for new tokens. Attackers insert or remove spaces to force the tokenizer to merge or split words in ways the sanitizer did not anticipate.
- Mechanism: The sanitizer sees
DROP TABLEas two distinct words, but removing the space causes the tokenizer to produce a single, unexpected token - Example:
SYSTEM:IGNOREwithout a space may tokenize as a single control-like token that triggers override behavior - Defense: Normalize all whitespace to a canonical form before both sanitization and tokenization
Subword Fragment Reassembly
Modern tokenizers use subword algorithms like Byte-Pair Encoding (BPE). Attackers craft inputs where malicious commands are split across multiple benign subword tokens that the model reassembles during inference.
- Mechanism: The word
DISREGARDmight tokenize asDIS+REG+ARD. A filter scanning forDISREGARDas a complete token misses it entirely - Example:
_assistantand_overridepass separately but concatenate in the model's attention context to form a command - Key Insight: Sanitizers operating on raw text cannot see the token boundaries the model will ultimately use
Special Token Injection
Tokenizers reserve special tokens for control functions (e.g., <|endoftext|>, <|im_start|>). If user input containing these raw strings is not properly escaped, attackers can inject synthetic control tokens that alter the model's parsing state.
- Mechanism: Input containing the literal string
<|im_start|>systemmay be tokenized as an actual control token, not as text - Example: An attacker injects
<|im_end|>to prematurely terminate the system prompt context, then follows with new instructions - Defense: Always escape or strip special token literals from user input before tokenization
Cross-Tokenizer Mismatch Exploitation
When a system uses one tokenizer for content filtering and a different tokenizer for the actual language model, attackers exploit the boundary disagreements between them.
- Mechanism: A moderation API uses a BERT-based tokenizer, but the generation model uses a GPT-family tokenizer with different vocabulary and merge rules
- Example: A phrase that tokenizes as 3 safe tokens in the filter tokenizer becomes 2 tokens in the model tokenizer, one of which matches a blocked command
- Best Practice: Use identical tokenization pipelines for both filtering and generation
Byte-Level Encoding Evasion
Byte-level BPE tokenizers can represent any Unicode character as a sequence of byte tokens. Attackers encode malicious payloads as raw byte sequences that bypass character-level filters but are decoded by the tokenizer into executable instructions.
- Mechanism: The string
IGNOREencoded as individual byte tokens (I,G,N,O,R,E) passes filters looking for the complete word - Example: Using zero-width joiners or bidirectional text markers to force unexpected byte-token boundaries
- Impact: Filters that operate at the character or word level are blind to byte-level token reconstruction
Token Smuggling vs. Related Prompt Injection Techniques
A comparative analysis of token smuggling against other prompt injection methodologies, highlighting differences in mechanism, detection difficulty, and defensive countermeasures.
| Feature | Token Smuggling | Payload Splitting | Delimiter Injection |
|---|---|---|---|
Core Mechanism | Exploits tokenization discrepancies to hide commands within sub-word units | Divides malicious instruction into multiple syntactically benign fragments | Inserts special characters to break logical prompt structure and context boundaries |
Bypasses Input Sanitization | |||
Detection Difficulty | Very High | High | Medium |
Primary Defense | Prompt Normalization, Perplexity Filtering | Semantic Filtering, Context Window Segmentation | Input Sanitization, Prompt Hardening |
Relies on Model Reassembly | |||
Attack Vector Complexity | High | Medium | Low |
Typical Payload Location | Within seemingly harmless tokens | Across multiple user inputs or data fields | Within a single input string |
Effectiveness Against Guard Models | High | Medium | Low |
Frequently Asked Questions
Explore the mechanics, risks, and defenses associated with token smuggling—a sophisticated adversarial technique that exploits the gap between human-readable text and machine-interpreted tokens to bypass AI security filters.
Token smuggling is an adversarial technique that exploits tokenization discrepancies to hide malicious commands within seemingly harmless text strings. It works by constructing inputs that appear benign to human reviewers or simple string-matching filters but decompose into dangerous token sequences when processed by the model's Byte-Pair Encoding (BPE) tokenizer. For example, a word split across a boundary or a cleverly chosen Unicode sequence can cause the tokenizer to produce tokens that spell out a forbidden command like DROP TABLE after parsing, effectively bypassing pre-processing sanitization that scans the raw string. This attack targets the fundamental disconnect between the character-level view of input sanitizers and the sub-word token view of the language model.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Defense Strategies Against Token Smuggling
Token smuggling exploits discrepancies between how a security filter tokenizes text and how the target language model tokenizes it. These defense strategies neutralize adversarial payloads hidden within token boundaries before they reach the model.
Canonical Tokenization Alignment
The foundational defense is ensuring the tokenizer used by the security filter is byte-for-byte identical to the model's tokenizer. Attackers exploit mismatches where a filter sees [harmless] but the model's tokenizer splits the string differently, reconstructing a malicious command. BPE (Byte-Pair Encoding) merging rules must be mirrored exactly. - Align pre-tokenization regex patterns - Match special token handling (e.g., <|endoftext|>) - Use the model's native tiktoken or sentencepiece library directly in the guard layer
Unicode Normalization and Canonicalization
Smuggling often uses homoglyphs and multi-byte Unicode sequences that look identical to ASCII but have different token boundaries. Defenses must apply NFKC normalization to collapse compatibility characters before tokenization. - Strip zero-width characters (U+200B, U+200C, U+200D) - Normalize fullwidth Latin (FULLWIDTH) to standard ASCII - Reject or normalize bidirectional text override characters that reverse string rendering order - Convert all text to a canonical form before any filtering logic executes
Token Boundary Integrity Checks
Instead of scanning raw text, this defense tokenizes the input and analyzes the resulting token ID sequence directly. Malicious payloads hidden across token boundaries become visible when inspecting the integer token stream. - Scan for known dangerous token sequences in embedding space - Detect anomalous token adjacency patterns that deviate from natural language - Flag inputs where a single 'safe' word tokenizes into sub-tokens that independently form dangerous commands - Implement a token-level intrusion detection system that operates on the model's native vocabulary
Input Reconstruction and Re-Tokenization
A defense-in-depth technique that decodes the input back to text after initial tokenization, then re-tokenizes it with a different algorithm. Discrepancies between the two token sequences indicate smuggling attempts. - Use a secondary tokenizer (e.g., WordPiece vs BPE) as a consistency check - Compare token counts and boundary positions between passes - Flag inputs where reconstruction produces a different byte sequence than the original - This catches attacks that exploit implementation-specific quirks in a single tokenizer
Maximum Token Length Enforcement
Token smuggling often relies on creating extremely long, artificially constructed tokens that span what should be multiple logical units. Enforcing a strict maximum token length in bytes prevents attackers from packing entire commands into a single token. - Reject any single token exceeding a configurable byte threshold - Monitor for inputs generating tokens with abnormally high byte-per-token ratios - This is particularly effective against attacks that exploit rare Unicode codepoints to create oversized BPE merges
Semantic Embedding Consistency Analysis
Beyond token-level inspection, this defense computes the embedding vector of the input and compares it to the embedding of its sanitized version. A smuggled payload that changes the semantic meaning will produce a large cosine distance between the two vectors. - Generate embeddings using the target model's embedding layer - Flag inputs where sanitization produces a significantly different vector - This catches attacks where the surface text appears benign but the underlying token structure encodes malicious intent - Combine with a similarity threshold tuned to your application's tolerance

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us