From reading the docs it looks like there are ( or will be soon ) two distinct ways for API endpoint to consume the prompt:
1. Old one when all inputs are just concatenated into one string (Vulnerable to prompt injection)
2. Inputs supplied separately as a JSON (?) array, so special tokens can be properly encoded, maybe user input stripped of newlines (potentially preventing prompt injection).
I guess when Microsoft were rushing Bing features and faced with a dilemma to do by the rules or by tomorrow they chose the latter.
1. Old one when all inputs are just concatenated into one string (Vulnerable to prompt injection)
2. Inputs supplied separately as a JSON (?) array, so special tokens can be properly encoded, maybe user input stripped of newlines (potentially preventing prompt injection).
I guess when Microsoft were rushing Bing features and faced with a dilemma to do by the rules or by tomorrow they chose the latter.