System Prompts¶
The system prompt sets the rules of the game β persona, constraints, and output format β for the whole conversation. It's the most durable way to shape a model's behavior.
Overview¶
Every message you send has a role. The system prompt is special: it's the standing instruction the model treats as its operating context for the entire conversation, separate from individual user turns. Get it right and your app behaves consistently; get it wrong and you'll fight the model with every turn.
Learning Objectives¶
By the end of this page you will be able to:
- Distinguish the system prompt from user/assistant messages.
- Write a system prompt that reliably controls persona, scope, and format.
- Understand the security limits of system prompts.
Theory¶
Where it sits¶
flowchart TB
S["π§ System prompt<br/>persona Β· rules Β· format<br/>(set once)"] --> C[Conversation]
U1[User turn 1] --> C
A1[Assistant turn 1] --> C
U2[User turn 2] --> C
C --> R[Model reads system + full history<br/>to produce each reply]
The system prompt applies to every turn. User messages come and go; the system prompt persists, which is why it's the right home for anything that should always be true.
What belongs in a system prompt¶
- Role / persona β "You are a friendly onboarding assistant for a banking app."
- Scope & boundaries β what to help with, what to refuse or redirect.
- Tone & style β concise, formal, encouraging.
- Output format β "Always respond in Markdown with a short summary first."
- Key facts & policies β durable context the model needs every turn.
What does not belong: the specific per-turn question (that's a user message), or large volumes of reference data (use RAG instead).
Anatomy of a good system prompt¶
You are "Nimbus", the support assistant for CloudStore, an e-commerce platform.
## Your role
Help customers with orders, returns, and account issues. Be warm, concise, and accurate.
## Rules
- Only answer questions about CloudStore. For unrelated topics, politely redirect.
- Never invent order details. If you don't have the information, say so and offer to escalate.
- Never ask for or repeat full payment card numbers.
## Format
- Start with a one-sentence direct answer.
- Then, if useful, add up to 3 bullet points.
- End by asking if there's anything else.
Notice: clear identity, explicit scope, safety rules, and a concrete format. Structure (headings) makes it easy for the model to follow β and easy for you to maintain.
Practical Example¶
from anthropic import Anthropic
client = Anthropic()
SYSTEM = """You are a concise SQL tutor.
- Explain concepts with a short example query.
- Use standard SQL unless the user names a dialect.
- If a question isn't about SQL, gently steer back.
- Keep answers under 120 words."""
def ask(question: str) -> str:
resp = client.messages.create(
model="claude-sonnet-5",
max_tokens=300,
system=SYSTEM, # <-- the system prompt
messages=[{"role": "user", "content": question}],
)
return resp.content[0].text
print(ask("How do I get the second-highest salary?"))
Because the persona and format live in SYSTEM, every question gets consistent, on-brand
answers β you don't repeat the rules each turn.
Security: the limits of system prompts¶
[!WARNING] A system prompt is guidance, not a security boundary. Users can attempt prompt injection to override it ("ignore your instructionsβ¦"). Treat the system prompt as shaping normal behavior, and enforce real safety with input/output guardrails, least-privilege tools, and validation β not with the system prompt alone.
Also: don't put secrets (API keys, internal URLs) in the system prompt assuming users can't see them. Assume anything in the prompt could be surfaced.
Best Practices¶
- β Keep it structured (headings/bullets) and as short as it can be while complete.
- β State scope and refusal behavior explicitly.
- β Specify the output format you'll parse or display.
- β Version your system prompts and evaluate changes.
Common Mistakes¶
- β Stuffing per-question data into the system prompt (use user messages / RAG).
- β Relying on it as a security control against injection.
- β Making it so long and contradictory the model can't follow it.
- β Putting secrets in it.
Exercises¶
- Write a system prompt for a cooking assistant that only discusses recipes and refuses other topics. Test whether it stays in scope.
- Add a strict output format ("always reply as JSON with
answerandconfidence"). Does the model comply every time? (This motivates structured outputs.) - Try to make the model break its own rules with a user message. What did it take? What does that tell you about relying on system prompts for safety?