Llm Data Leakage in Chi with Jwt Tokens

In Chi, JWT tokens are commonly used for stateless authentication and authorization. When a JWT is accepted as user-controlled input to an LLM endpoint or included in logs, prompts, or error messages, it can create conditions for LLM data leakage. A JWT often contains identity claims (sub, email, roles) and may include scopes or permissions that should remain internal to the authorization layer. If these tokens are echoed back in LLM responses or exposed via prompt injection, the model can unintentionally reveal details about the authenticated subject or the application’s security context.

Consider an API endpoint in Chi that decodes a JWT to enrich a request and then passes user-supplied text to an LLM for summarization. If the request handling logic includes the raw token or its payload in the prompt—intentionally for debugging or unintentionally through verbose logging—the LLM may reflect that data in its output. For example, including a JWT in a system prompt or in a user message that is forwarded to the model can lead to system prompt leakage, where patterns used to protect the token’s context are revealed. This becomes especially risky when the same endpoint is used for both authorization and LLM interaction, because the token’s structure and claims may be inferable from the model’s responses.

The LLM/AI Security checks in middleBrick specifically test for this scenario by probing for system prompt leakage patterns that match frameworks like ChatML, Llama 2, Mistral, and Alpaca, which are common in Chi services that integrate LLMs. If a JWT appears in a token format (e.g., three dot-separated segments) within prompts or outputs, active prompt injection tests can demonstrate how an attacker might coax the model into repeating or transforming the token data. Output scanning further detects whether PII or structured credentials such as JWTs are present in LLM responses. Because JWTs often carry identity and authorization information, their exposure can lead to privilege escalation or account compromise when combined with other weaknesses like BOLA/IDOR.

In Chi, developers might inadvertently create this exposure by embedding JWTs in logs that are later ingested by observability tools connected to LLM analytics, or by passing tokens through error messages that are surfaced to language models for diagnostic reasoning. Even when JWTs are handled server-side, verbose trace information that includes token headers or claims can be surfaced to an LLM if the integration layer is not carefully designed. The interaction between Chi’s native JWT handling and LLM endpoints requires strict separation of authentication artifacts from model inputs and outputs to prevent indirect data leakage through the model’s training or inference traces.

middleBrick’s scanning approach checks for these conditions by running multiple security checks in parallel, including LLM/AI Security, Data Exposure, and Input Validation. It examines how JWT-like structures are handled across the unauthenticated attack surface and whether they can be reflected in model responses. This is important because JWTs in Chi are often high-value targets; their leakage can expose session context, impersonation risks, and authorization bypass indicators that align with frameworks such as OWASP API Top 10 and compliance requirements like SOC2 and GDPR.

To mitigate LLM data leakage involving JWT tokens in Chi, ensure that tokens and their payloads never reach the LLM layer. This requires strict input validation, output filtering, and isolation of authentication artifacts from model interaction code. The following examples demonstrate secure patterns in Chi using JWT handling that avoids exposing tokens or sensitive claims to language models.

// Secure JWT extraction and usage in Chi without exposing token to LLM
import jwt from "@hapi/jwt";
import { request } from "@hapi/hapi";

const server = hapi.server({ port: 3000 });

server.route({
  method: "POST",
  path: "/api/summary",
  options: {
    auth: {
      mode: "optional",
      strategy: "jwt"
    }
  },
  handler: (request, h) => {
    // Extract only the needed user identifier, not the full token
    const user = request.auth.credentials;
    const userId = user && user.user ? user.user.id : null;

    // Validate and sanitize input before sending to LLM
    const userInput = request.payload.text;
    if (typeof userInput !== "string" || userInput.length === 0) {
      return h.response({ error: "Invalid input" }).code(400);
    }

    // Do NOT include token, claims, or raw JWT in the prompt
    const prompt = `Summarize the following text for user ID ${userId}: ${userInput}`;

    // Call LLM with sanitized prompt
    return callLLMSummarization(prompt);
  }
});

async function callLLMSummarization(prompt) {
  // Placeholder for actual LLM call
  return { summary: "safe summary" };
}

This pattern ensures that only the necessary user identifier is used, and the JWT itself is never part of the prompt. In Chi, you should also configure your JWT validation strategy to avoid logging the full token. Use selective claims extraction and enforce tight input validation to prevent attackers from injecting token-like strings that could be echoed by the LLM.

// Chi route with strict JWT validation and no token leakage
import jwt from "@hapi/jwt";
import Hapi from "@hapi/hapi";

const validateJwt = (decoded) => {
  // Perform additional checks: audience, issuer, scope
  return { isValid: decoded.iss === "https://auth.example.com" };
};

const server = Hapi.server({ port: 4000 });

server.auth.strategy("jwt", "jwt", {
  keys: "your-verification-key",
  validate: validateJwt,
  verifyOptions: { algorithms: ["RS256"] }
});

server.route({
  method: "GET",
  path: "/api/data",
  options: {
    auth: {
      strategy: "jwt",
      scope: ["read:data"]
    }
  },
  handler: (request, h) => {
    const { scope } = request.auth.credentials;
    // Use scope for authorization logic, never pass the token to LLM
    if (!scope.includes("read:data")) {
      return h.response({ error: "Insufficient scope" }).code(403);
    }
    return { data: "safe data response" };
  }
});

These examples illustrate how to handle JWTs securely in Chi by limiting token exposure, validating claims rigorously, and ensuring that LLM interactions operate only on sanitized inputs. middleBrick’s CLI can be used to verify that no JWT tokens or claims appear in LLM prompts by running middlebrick scan <url> against your endpoints and reviewing the LLM/AI Security findings. For ongoing protection, the Pro plan enables continuous monitoring so that any regression in how JWTs are handled can trigger alerts before exposure occurs in production.

• Can LLM output ever contain a JWT in Chi applications?

  Not if JWTs are handled securely. Ensure tokens are never included in prompts, logs, or error messages that could be processed by the LLM. Use selective claims and strict input validation to prevent token reflection.

• How does middleBrick detect JWT-related LLM data leakage?

  middleBrick runs LLM/AI Security checks that include active prompt injection probes and output scanning for PII and credential-like patterns such as JWTs. It cross-references OpenAPI specs with runtime behavior to identify whether JWT structures appear in model interactions.