Niranjan M MFollow

Abstract

Modern API and LLM security solutions focus primarily on detecting malicious requests and deciding whether a request should be allowed or blocked at the API security gateway. While effective for identifying prompt-injection attempts and API abuse, these mechanisms do not provide a reliable way to enforce what an approved request is allowed to do after it leaves the gateway. In real-world LLM systems, requests commonly undergo downstream prompt construction, retrieval-augmented generation (RAG), agent interactions, and tool execution, which may introduce indirect prompt injection and unintended capability escalation beyond the gateway’s visibility.

The proposal introduces a Signed Authorization Context (SAC) mechanism that allows an API security gateway to convert its approval decision into a cryptographically verifiable execution contract. After validating and allowing a request, the gateway signs a short-lived authorization context that explicitly defines the permitted execution scope, such as allowed tools, data access level, resource limits, and request binding. This signed context is attached to the request and propagated downstream.

Downstream execution components such as LLM runtimes, tool routers, and workflow engines, verify the signed authorization context before performing any side-effecting actions. Execution is permitted only if the requested behavior falls within the authorized scope. As a result, even when indirect prompt injection occurs after the gateway (e.g., via RAG content, templates, or agent-to-agent messages), unauthorized tool execution and data access are deterministically prevented.

The proposal deliberately separates semantic detection from execution authorization. Existing API security and LLM inspection services continue to detect and block malicious prompts, while the signed authorization context enforces a strict invariant: execution behavior must not exceed what was explicitly authorized upstream. The proposed approach avoids reliance on downstream prompt semantics, survives TLS termination and multi-stage pipelines, and integrates cleanly with existing security architectures.

By introducing a portable, cryptographically enforced authorization layer for LLM and API execution, the proposal addresses a critical gap in current API security models and provides a practical, deterministic safeguard against post-gateway capability escalation in modern LLM-driven systems.

Creative Commons License

Creative Commons License
This work is licensed under a Creative Commons Attribution 4.0 License.

Download

Share

COinS