This work addresses the challenge of providing language models with verifiable and unforgeable identity credentials without exposing their internal parameters. It introduces, for the first time, a model-signing mechanism based on the ranking of top-k output tokens, relying solely on ordinal information rather than exact probability values. Theoretical analysis demonstrates that forging such a signature is NP-hard, thereby ensuring computational security against polynomial-time adversaries. By integrating geometric constraints inherent in language model outputs, feasibility analysis of token rankings, and complexity-theoretic arguments—and further substantiated through model extraction experiments—the study confirms the method’s efficacy: while attackers can leverage ranking data to approximate final-layer parameters, they cannot successfully forge valid signatures. Moreover, selecting an appropriately small top-k value preserves both the uniqueness and robustness of the signature while safeguarding model confidentiality.

Language model parameters are known to impose unique (to each model) geometric constraints on their logit outputs, which serves as a signature that identifies the model, but also leaks the model's final layer parameters when an API distributes logits. We investigate more restrictive APIs that expose token rankings (i.e., their ordering by probability, but not the probability values) and find that rankings also constitute a signature: every model has a unique set of feasible top-$k$ rankings for sufficiently large $k$. Furthermore, the ranking signature is the first known (polynomially) unforgeable signature, since finding a model with the same set of feasible rankings is NP-hard. On the security front, we find that token rankings are already sufficient to approximately steal the final layer of the model, similar to logits, though the approximation is too coarse to forge the signature, and can be effectively countered by restricting the API to top-$k$ tokens with sufficiently small $k$. Since the top-$k$ required to present the model signature is generally smaller than the $k$ required to prevent stealing, it is possible for an API to present an unforgeable signature without leaking model parameters.