Token Purging (PG): Methods & Applications
- Token Purging (PG) is a selective removal process that eliminates low-utility, high-risk, or expired tokens based on constrained scoring and governance rules.
- It is applied in diverse areas such as KV-cache eviction in transformer models, token cleaning in supervised fine-tuning, and watermark removal in digital assets.
- Empirical results demonstrate significant gains in accuracy, efficiency, memory usage, and privacy across domains ranging from LLM serving to 3D test-time adaptation.
Searching arXiv for the provided topic and IDs to ground the article in current papers. arXiv search query: "Token Purging KV-cache dormant tokens Transactional Attention" Token Purging (PG) is a domain-dependent term rather than a single standardized method. In recent arXiv literature, it denotes the removal, masking, compression, or invalidation of tokens, token-derived artifacts, or token-associated state under explicit utility, safety, memory, or security constraints. In transformer serving, PG refers to KV-cache eviction under a retention budget; in test-time adaptation, it denotes removal of domain-shifted tokens before attention; in supervised fine-tuning, it is loss masking of low-quality response tokens; in privacy and migration pipelines, it is contextual compression under semantic and budget constraints; and in credential systems, digital assets, and watermark removal, it refers to deletion of credential material, purge-like balance control, or elimination of watermark-carrying signal through tokenized guidance (Basu, 13 Apr 2026, Yazdanpanah et al., 11 Sep 2025, Pang et al., 4 Feb 2025, Langiu, 30 Mar 2026, Coimbra et al., 9 Jun 2025, Yang et al., 1 Dec 2025).
1. Terminological scope and recurrent structure
The most immediate encyclopedic fact about Token Purging is that the term is overloaded. The following uses are explicitly documented in the literature.
| Domain | Meaning of PG | Representative paper |
|---|---|---|
| LLM serving | Evict selected tokens’ KV pairs from the cache | (Basu, 13 Apr 2026) |
| 3D test-time adaptation | Remove domain-shifted tokens before attention | (Yazdanpanah et al., 11 Sep 2025) |
| SFT data selection | Mask low-quality response tokens in the loss | (Pang et al., 4 Feb 2025) |
| Prompt/context handling | Drop, rewrite, or abstract non-essential tokens | (Langiu, 30 Mar 2026) |
| Database migration | Remove or compress input/output tokens under quality constraints | (Grynets et al., 27 May 2026) |
| Credential lifecycle | Remove residual token artifacts from infrastructure | (Coimbra et al., 9 Jun 2025) |
| Unlearning | Redirect or suppress forbidden-token generation | (Yu et al., 21 May 2025, Zaradoukas et al., 28 Jan 2026) |
| Crypto-token security | Owner-controlled purge-like balance or functionality changes | (Wu et al., 23 Jun 2025, Ivanov et al., 2021) |
| Watermark removal | Purge watermark-carrying signal via tokenized guidance | (Yang et al., 1 Dec 2025) |
Despite this heterogeneity, the papers repeatedly formalize PG as a constrained selection problem. The object being removed differs—KV entries, point-cloud tokens, SFT targets, prompt tokens, credential files, or watermark-carrying latent cues—but the decision is usually governed by a score, a threshold, or a governance rule. This suggests a stable conceptual core: PG is selective removal under an explicit notion of residual utility, risk, or relevance.
A common misconception is that PG always means simple shortening. Several papers directly contradict that interpretation. In KV-cache management, blind attention-based eviction purges dormant yet critical tokens (Basu, 13 Apr 2026). In Oracle-to-PostgreSQL migration, aggressive compression can raise Token Efficiency while sharply degrading Semantic Match (Grynets et al., 27 May 2026). In privacy routing, token parsimony and zero leakage are treated as dual projections of the same contextual compression operator rather than as a mere reduction in prompt length (Langiu, 30 Mar 2026).
2. KV-cache eviction, dormant tokens, and cache continuity
In transformer decoders, the KV-cache stores the past key and value tensors for each processed token so the model can attend to earlier context without recomputing it. Under memory pressure, PG is the act of removing selected tokens’ KV pairs from the cache to stay within a retention budget (Basu, 13 Apr 2026). The standard attention-based formulation uses cumulative attention
and retains top- tokens or drops positions below a threshold. This fails for dormant tokens such as credentials, API keys, passwords, session IDs, endpoint URLs, coordinates, and configuration values, because they receive near-zero attention until the exact generation step when verbatim recall becomes necessary. The reported consequence is stark: at tokens, corresponding to of a 4K context, Transactional Attention (TA) achieves 100% credential retrieval, whereas H2O, TOVA, SnapKV, StreamingLLM, PyramidKV, and DynamicKV achieve 0%; the credential often ranks approximately th out of under cumulative attention (Basu, 13 Apr 2026).
TA modifies the retention score through sponsorship from structural anchors such as "key:", "password:", "Authorization:", "api_key=", or schema cues in JSON, YAML, INI, HTTP headers, and function-call arguments. The hard rule is
with eviction only when
The full implementation uses a decaying voucher
inside a composite utility. TA sustains 100% accuracy across 200 function-calling trials, and TA-Fast removes attention-dependent terms entirely, reduces memory overhead by 52% in the reported setup (2.7 GB vs 5.8 GB), remains compatible with SDPA and FlashAttention, and adds less than 1% latency overhead (Basu, 13 Apr 2026).
A related but distinct cache-centric formulation appears in TokenPilot, which treats PG for LLM agents as selective removal of already-ingested context segments while preserving hardware-level KV-cache continuity (Xu et al., 15 Jun 2026). The paper argues that unconstrained sequence mutations alter layouts, introduce prefix mismatches, and force cache misses. Its dual-granularity design combines Ingestion-Aware Compaction, which stabilizes the physical prompt prefix from the first turn, with Lifecycle-Aware Eviction, which marks segments as active, completed, or evictable and purges only after explicit completion evidence and zero residual utility. On PinchBench and Claw-Eval, TokenPilot reduces costs by 61% and 56% in isolated mode, and by 61% and 87% in continuous mode, while maintaining competitive performance (Xu et al., 15 Jun 2026). This suggests that in long-horizon agent systems, the dominant PG question is not only which tokens to remove, but also when their removal ceases to damage prefix reuse.
3. Test-time adaptation through token removal before attention
In transformer-based 3D point cloud classification, PG is formulated as a backpropagation-free test-time adaptation mechanism that removes tokens highly affected by domain shift before they reach self-attention (Yazdanpanah et al., 11 Sep 2025). A point cloud 0 is tokenized via farthest point sampling and 1-NN neighborhoods into 2, and a learnable [[CLS](https://www.emergentmind.com/topics/chunk-level-sparsity-cls)] token is prepended. The motivation is analytical: under strong corruption, per-token layer normalization produces noise-dominant normalized embeddings that behave like nearly random directions on the sphere, so query-key dot products concentrate near zero and the attention softmax approaches a nearly uniform distribution. PG therefore aims to prevent noisy tokens from corrupting attention weights by dropping them in the forward pass.
Two scoring variants are proposed. PG-SP uses source statistics and ranks tokens by diagonal Mahalanobis distance to 3:
4
with 5. PG-SF is source-free and uses the learned CLS token as a prototype in query/key space:
6
where 7 and 8. In both cases, the method purges the 9 highest-scoring tokens, retains the CLS token, and selects the purge length by minimizing output entropy over a candidate set 0 (Yazdanpanah et al., 11 Sep 2025).
The empirical profile is both robust and efficient. PG-SP achieves an average of +10.3% higher accuracy than state-of-the-art backpropagation-free methods, while PG-SF sets new benchmarks for source-free adaptation. Relative to the BFTT3D baseline, PG-SP is 12.4 times faster (14.07 ms vs 173.94 ms) and 5.5 times more memory efficient (1300 MiB vs 7400 MiB). On ScanObjectNN-C, PG-SP reaches 49.13% mean accuracy and PG-SF 47.54%; on ModelNet40-C, PG-SP reaches 68.93% and PG-SF 68.68%; on ShapeNet-C, PG-SP reaches 64.17% and PG-SF 64.40% (Yazdanpanah et al., 11 Sep 2025). The paper also reports that PG transfers to a PointMamba backbone, although gains are smaller on some settings. The principal limitation is over-purging: if information is concentrated in very few tokens, as in extremely sparse clouds or heavy occlusions, discarding too many tokens removes signal together with noise.
4. Training-time filtering and unlearning as token-level suppression
In supervised fine-tuning, the closest formal analogue of PG is token cleaning: low-quality response tokens are masked out of the training objective, while retained tokens continue to contribute to the loss (Pang et al., 4 Feb 2025). The paper formalizes a token-weighted SFT loss with binary labels 1 and scores token quality through loss disparity between a base model 2 and a better reference model 3:
4
5
Tokens ranked in the top 6 by score are kept; the rest are purged by setting 7. Fixed-Model Cleaning performs this once with a frozen reference, whereas Self-Evolving Cleaning iteratively rescales later subsets with a self-updating reference. Empirically, global ranking outperforms local per-sample ranking, the best range is approximately 8, and on LLaMA-3.2-3B the average score across seven tasks rises from 49.87 with Full Tokens to 51.98 with Fixed-Model Cleaning and 53.00 with Self-Evolving Cleaning (Pang et al., 4 Feb 2025).
In model unlearning, PG shifts from masking observed tokens to suppressing future generation of targeted content. UniErase introduces a learnable unlearning token 9, implemented as a new vocabulary token [UNL], and optimizes it so that appending 0 to forget-set prompts steers the model toward an “unlearning space” populated by outputs such as “I don’t know,” “[REDACTED],” and “not provided” (Yu et al., 21 May 2025). Phase I learns 1 with the model weights frozen, and Phase II edits a small subset of MLP down-projection matrices 2 so that the model emits [UNL] intrinsically as the first token for forget-set queries. The reported footprint is approximately 3.66% of parameters, and on the TOFU benchmark UniErase outperforms the previous forgetting SOTA by around 4.01 times for model ability while also surpassing the previous retaining SOTA by 35.96% for unlearning efficacy (Yu et al., 21 May 2025).
PURGE formulates unlearning as a verifiable reinforcement-learning problem under Group Relative Policy Optimization (Zaradoukas et al., 28 Jan 2026). It defines an intrinsic reward
3
so completions containing forbidden entities receive reward 0 and those without such entities receive reward 1. Group-relative advantages are computed within each prompt-specific group of sampled answers, and the policy is updated through a token-level PPO-style objective with KL regularization to the reference policy. The paper reports up to a factor of 46 fewer tokens per target than state-of-the-art methods, a 5.48 percent fluency improvement, a 12.02 percent gain in adversarial robustness over the base model, and on RWKU 11 percent unlearning effectiveness while preserving 98 percent of original utility (Zaradoukas et al., 28 Jan 2026). Taken together, these papers suggest two distinct but related unlearning regimes: one in which PG masks tokens out of optimization, and another in which it actively reshapes the next-token distribution to suppress forbidden realizations.
5. Context compression, token parsimony, and credential hygiene
In LLM-based Oracle-to-PostgreSQL migration, PG is defined as targeted strategies that remove or compress tokens from the LLM’s input and, where applicable, its output, with the explicit objective of reducing cost while preserving syntactic validity and semantic fidelity (Grynets et al., 27 May 2026). The paper treats this as a constrained transformation problem and evaluates twelve strategies, including context pruning, minification, DSL-based semantic compression, schema distillation, adaptive routing, AST-based minification, identifier masking, output constraint enforcement, and hybrid optimization. The central caution is quantitative: mild context pruning on the 100-query sample preserves semantic quality almost at the baseline level, with 89.75% Semantic Match versus 89.80% for the unoptimized baseline, while adaptive routing yields the best practical trade-off by reducing input tokens by 8.72% and output tokens by 5.49% while maintaining 88.40% Semantic Match and increasing Token Efficiency by 6.67%. By contrast, aggressive schema distillation increases Token Efficiency by 132.22% but incurs a 44.50-percentage-point decrease in Semantic Match (Grynets et al., 27 May 2026). The paper therefore rejects the idea that PG can be evaluated by token count alone.
The privacy-routing literature makes a related but not identical claim. In Privacy Guard, PG is the operational instantiation of contextual compression inside a local orchestrator that performs abstractive summarization, Automatic Prompt Optimisation, and LIFO-based context compacting to reduce both token payload and leakage surface (Langiu, 30 Mar 2026). The paper formalizes the “Inseparability Paradigm” by stating that if 4 is the compression ratio, then the decrease in OpEx scales with 5 and induces a proportional decrease in sensitive entropy:
6
It reports a 45% blended OpEx reduction on a 1,000-sample dataset, 100% redaction success on personal secrets, and an 85% preference rate for APO-compressed responses over raw baselines in LLM-as-a-Judge evaluation (Langiu, 30 Mar 2026). Here, PG is not deletion of arbitrary prompt substrings; it is bounded working-memory management combined with risk-aware routing.
The operational-security literature uses “token” in a different sense again. In GlideinWMS, Token Purging is the deliberate removal or invalidation of token material from the Factory, Frontend, pilot or worker nodes, and transient caches once a credential has reached the end of its useful scope (Coimbra et al., 9 Jun 2025). The paper distinguishes PG from expiration, revocation, and renewal, and places it inside a credential model with explicit types and purposes: Pilot Submission Credentials, VO Service Credentials, CE Credentials, HTCondor Cluster Credentials, Job Credentials, and Framework Credentials; and request, payload, and callback purposes. The end-to-end lifecycle specifies purge points at issuance, propagation, storage, use, renewal, and cleanup. Factory-side PG removes request-purpose tokens from the cache and secure mailbox once submission completes or a CE authentication window closes; worker-node PG deletes payload and callback tokens at job completion or glidein shutdown; and local callback-token removal may occur before natural expiration once the startd exits (Coimbra et al., 9 Jun 2025). This use of PG is conceptually close to least-privilege credential hygiene rather than to model inference.
6. Digital assets, balance tampering, and tokenized reconstruction
In crypto-token security, PG is not a standardized name in the cited papers, but the described behavior maps directly onto owner-controlled purge-like operations. RPHunter associates this behavior primarily with the Balance Tamper category—Hidden Mint/Burn and Hidden Balance Modification—and partially with Sale Restrict and Variable Manipulation when those mechanisms are used to confiscate, drain, or render holders’ balances worthless (Wu et al., 23 Jun 2025). The system constructs a Semantic Risk Code Graph from Gigahorse IR using declarative rules over relations such as data flow, privileged-variable control, comparison-to-zero predicates, and token-transfer functions, while dynamic token transactions are modeled as a Token Flow Behavior Graph over addresses and transfers. On a dataset of 645 Rug Pull incidents and 1,675 benign tokens, RPHunter achieves precision 95.3%, recall 93.8%, and F1 94.5%; manual analysis labels Balance Tamper in 189 Rug Pull contracts (Wu et al., 23 Jun 2025). The detected phenomena include privileged writes to totalSupply or balances, owner-controlled tax parameters, address restrictions, and liquidity extraction.
A broader survey of administrated ERC20s makes the same class of powers explicit under a governance lens (Ivanov et al., 2021). For the purposes of that analysis, purge-like capabilities include force-burns, blacklisting or freezing, setting or confiscating balances, force-transfers, global pauses, deprecation or code injection via upgrade indirection, and self-destruction. The paper’s pattern-recognition framework uses nine syntactic features, including pausable functionality, contract deprecation, minting and burning, role-restricted transfers and withdrawals, function-disabling modifiers, direct sender checks, and freezing, halting, or killing methods. On 84,062 unique Ethereum contracts, it finds 54,626 ERC20 contracts, of which 39,034 are administrated ERC20s, corresponding to approximately 89.76% of ERC20s. To constrain these powers, the paper proposes SafelyAdministrated, a Solidity abstract contract that combines deferred maintenance, a board of trustees, and safe pause (Ivanov et al., 2021). In this domain, PG is effectively a question of who can purge balances or functionality, under what governance, and with what delay.
A final, structurally different use appears in watermark removal. TokenPure interprets PG as purging watermark signals by replacing the watermark-corrupted generation path with tokenized appearance and structural guidance inside a Diffusion Transformer (Yang et al., 1 Dec 2025). A watermarked image is decomposed into visual tokens 7, extracted from the last hidden layer of a pretrained SigLIP image encoder and compressed by a small MLP, and structural tokens 8, obtained by Canny edge detection followed by VAE encoding. These are injected into a FLUX.1-dev rectified-flow DiT through a trainable key-value attention branch for appearance and LoRA-modified QKV projections for layout, with fusion
9
The key claim is that the method “entirely bypasses the initial watermark-carrying noise” by sampling from clean stochastic noise under tokenized priors. The paper reports strong removal and fidelity across six watermark families, and in a user study of 920 votes TokenPure is preferred 61% of the time as “most consistent” and 70% of the time as “least degradation” (Yang et al., 1 Dec 2025). This is a particularly clear reminder that in the recent literature PG can refer not only to removing tokens from a sequence, but also to purging undesirable signal by reconstructing from tokenized conditional structure.
Across these lines of work, Token Purging is best understood as a family of selective-removal mechanisms rather than a single algorithmic primitive. The object being purged may be a KV entry, a point-cloud token, a response target, a prompt span, a credential artifact, a forbidden concept realization, a balance pathway, or a watermark-bearing signal. What unifies the literature is not the substrate but the decision structure: PG is repeatedly formalized as constrained elimination of low-utility, high-risk, expired, or adversarial tokenized content, with success judged not by maximal deletion but by preservation of the system property that matters in that domain—retrieval fidelity, robustness, semantic match, privacy, governance safety, or reconstruction quality.