Tokenize user content with add_special_tokens=False so strings like <|system|> stay literal text instead of becoming the real special token ids that break the trust boundary.
Imagine a theater where saying the phrase 'lights out' really kills the stage lights, because the crew is trained to obey it. Now a heckler in the audience shouts 'lights out' and the room goes dark, because the crew could not tell the heckler apart from the director. The fix is a rule: anything an audience member says is just words, never a command. In a language model, the dangerous command-words are special tokens like the system marker. Setting add_special_tokens to False is that rule, so a marker typed by a user is treated as plain text rather than a real instruction the model obeys.
Detailed answer & concept explanation~6 min readEverything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example. Click to expand.
Everything you need to truly understand this topic: intuition, mechanics, step by step explanation, code, formulas, and worked example.
Everything important, quickly.
2-3 min: what add_special_tokens does + default True is unsafe + why escape_html misses the layer + apply_chat_template pairing + structural separation as defense in depth.
Real products, models, and research that use this idea.
- HuggingFace Transformers exposes add_special_tokens on tokenizer.encode and __call__, and the docs warn against minting special ids from untrusted input.
- LangChain and similar orchestration layers that build prompts from user fields can leak markers if the underlying tokenize step keeps the default add_special_tokens=True.
- OpenAI's messages API for GPT-5.5 keeps each user turn structurally separate so user text cannot mint a system boundary on its own.
- Anthropic's Claude Opus 4.7 messages format likewise isolates user content, which is the API-level version of the add_special_tokens=False defense.
What an interviewer would ask next. Try answering before peeking at the approach.
QEven with add_special_tokens=False, how could a developer still reintroduce the injection risk?
QWhy is structural separation at the messages API stronger than relying on a single flag?
Don't say thisRed flags and common mistakes that signal junior thinking. Click to expand.
Red flags and common mistakes that signal junior thinking. Click to expand.
Picking a plausible-sounding flag like sanitize_special_tokens or escape_html. Those are not real tokenizer parameters; the real knob is add_special_tokens.
The night-before-the-interview bullets. Scan these on the way to the call.
Primary sources. Skim if you want the original framing.
Same topic, related formats. Practice these next.