AEX: Non-Intrusive Multi-Hop Attestation and Provenance for LLM APIs

TL;DR

AEX is a non-intrusive extension for large language model APIs that provides cryptographic attestation of request-response integrity and provenance, enhancing trust without altering existing API semantics.

Contribution

It introduces a novel attestation protocol for LLM APIs that preserves semantics and supports realistic deployment scenarios with explicit request-binding and output provenance.

Findings

AEX successfully attests to specific request-response relations at the API boundary.

The protocol supports trusted intermediaries and output rewriting scenarios.

Prototype implementation demonstrates practical feasibility and security benefits.

Abstract

Hosted large language models are increasingly accessed through remote APIs, but the API boundary still offers little direct evidence that a returned output actually corresponds to the client-visible request. Recent audits of shadow APIs show that unofficial or intermediary endpoints can diverge from claimed behavior, while existing approaches such as fingerprinting, model-equality testing, verifiable inference, and TEE attestation either remain inferential or answer different questions. We propose AEX, a non-intrusive attestation extension for existing JSON-based LLM APIs. AEX preserves request, response, tool-calling, streaming, and error semantics, and instead adds a signed top-level attestation object that binds a client-visible request projection to either a complete response object or a committed streaming output. To support realistic deployments, AEX provides explicit request-binding modes, signed request-transform receipts for trusted intermediaries, and source-output / output-transform receipts for trusted output rewriting. For streaming, it separates checkpoint proofs for verified prefixes of an unmodified source stream from complete-output lineage for outputs that have been rewritten, buffered, aggregated, or re-packaged, preventing transformed outputs from being mistaken for source-stream prefixes. AEX therefore makes a deliberately narrow claim: a trusted issuer attests to a specific request-output relation, or to a specific complete-output lineage, at the API boundary. We present the protocol design, threat model, verification state machine, security and privacy analysis, an OpenAI-compatible chat-completions profile, and a reference TypeScript prototype with local conformance tests and microbenchmarks.