Claude Code is in your enterprise. Here's how Straiker secures it.
Learn More

Please complete this form for your free AI risk assessment.

Back to Glossary

Token

Last updated on Apr 30, 2026

What is a token?

In the context of AI and natural language processing (NLP), a token is a discrete unit of input text that a language model processes. Tokens typically correspond to words, subword segments (such as prefixes or suffixes), punctuation marks, or whitespace. The average token length in English is approximately 3 to 5 characters, though this varies depending on the tokenization algorithm employed (e.g., Byte Pair Encoding, WordPiece, or SentencePiece). For example:

  • Dog → ["Dog"]
  • Encyclopedia → ["Enc", "cyclo", "Pedia"]

Why are tokens important in AI or LLMs?

A token or process of tokenization is fundamental to language models, enabling them to interpret and generate text effectively. Tokens, created by a tokenizer, which is an algorithm or software tool that connects the human-readable text and model-ready input, determine how input data is segmented and processed, impacting model performance, efficiency, and accuracy. Proper tokenization helps manage complex language patterns, supporting a nuanced understanding within the context window.

Why tokens matter for agentic AI security

Tokens are not just a performance concern they are an attack surface.

Token stuffing is an attack where an adversary floods an agent's input with large volumes of tokens padding, repetition, irrelevant content, or injected text to consume the available context budget. When the context window fills up, the model truncates older content first. If an attacker can predict what gets truncated, they can use token stuffing to deliberately push safety instructions, system prompt rules, or prior conversation context out of the model's active memory leaving the agent operating without its guardrails.

Context budget manipulation is a related technique where an attacker crafts inputs that are disproportionately expensive in token terms — for example, using rare Unicode characters, whitespace sequences, or encoded content that tokenizes into many more tokens than expected. This forces the model to exhaust its context window faster than the application anticipates, creating a predictable truncation point the attacker can exploit.

Both attacks are variants of the broader context overflow attack category and are particularly relevant to agentic systems, where agents process long document chains, tool outputs, and multi-turn histories within a single context window.

See also: Context Window & Prompt Injection

Previous
Next
Advanced Persistent Threats (APT)
Agent2Agent (A2A)
Agent framework
Agent Hijacking
Agentic browsers
Agentic Misalignment
AgentSecOps
AI Agent
AI Chatbots
AI Jailbreaking
AI-powered Persistent Threat (AiPT)
Autonomous Attack Simulation (AAS)
Autonomous Chaos
Context window
Conversation History
Data poisoning
In-context learning (ICL)
Indirect Prompt Injection
Language-Augmented Vulnerability in Applications (LaVA)
LLM Evasion
Long-term memory
Model context protocol (MCP)
Model Context Protocol (MCP) client
Model Context Protocol (MCP) host
Model Context Protocol (MCP) server
Model hijacking
Prompt Injection
RAG (Retrieval Augmented Generation)
Short-term memory
Token
Tool manipulation
Universal AI jailbreaks
Vector Database
Vector Embedding
Vector Search

Secure your agentic AI and AI-native application journey with Straiker

Book a Demo

The Agentic Security Company

Straiker is SOC2 certified
Straiker is SOC2 certified
Straiker is a member of Cloud Security Alliance (CSA)
Straiker is a gold sponsor of OWASP AI Exchange
Products
Security overview
Ascend AI
Defend AI
Use Cases
Red Teaming
Runtime Security
Agentic Browser Guardrails
MCP Security
Resources
Resources
Blog
Podcasts & Videos
Events & Webinars
Company
About Straiker
Research
Newsroom
Contact
Get a Demo
Free AI Assessment
New Deal Registration
Careers
© 2025 Straiker. All rights reserved.
Privacy Policy
Terms & Conditions