Chat APIs structure messages by role so the model separates policy from user content—critical for safety and RAG boundaries.
Roles
- system — persistent rules, persona, tool policies
- user — end-user input (may include retrieved context)
- assistant — prior model replies in multi-turn chat
- tool (vendor-specific) — function results fed back
System prompt hygiene
Keep system text stable across turns. Do not let users edit system instructions in the UI without authorization. Version system prompts like code.
Delimiters against injection
user_block = f"""### USER_INPUT_START
{sanitize(user_text)}
### USER_INPUT_END"""Important interview questions and answers
- Q: Why separate system from user?
A: System rules should not be trivially overridden by a later user line saying ignore previous instructions.
Self-check
- What goes in the system role?
- Why delimit user input?
Pitfall: Letting users edit the system prompt in production—treat as authorization bug.
Interview prep
- System role?
Stable policy and persona separate from untrusted user content.
- Delimiters?
Mark user data boundaries to reduce injection confusion.