Existing AIGC watermarking methods suffer from severe robustness degradation under text rewriting, compromised text quality, and unintended bias introduction. Method: We propose the first end-to-end trainable, logits-level watermarking framework. It jointly optimizes encoder and decoder to apply differentiable perturbations in the logits space and introduces online prompting—leveraging the target LLM itself as a differentiable proxy during inference—to overcome the non-differentiability of discrete token sampling. The method enables implicit, robust watermark embedding without modifying model architecture or training data. Results: Our approach improves watermark detection accuracy by 37–39% (average +17.2%) across diverse rewriting attacks, preserves perplexity and downstream task performance at par with the watermark-free baseline, and demonstrates cross-LLM generalizability.

The rise of LLMs has increased concerns over source tracing and copyright protection for AIGC, highlighting the need for advanced detection technologies. Passive detection methods usually face high false positives, while active watermarking techniques using logits or sampling manipulation offer more effective protection. Existing LLM watermarking methods, though effective on unaltered content, suffer significant performance drops when the text is modified and could introduce biases that degrade LLM performance in downstream tasks. These methods fail to achieve an optimal tradeoff between text quality and robustness, particularly due to the lack of end-to-end optimization of the encoder and decoder. In this paper, we introduce a novel end-to-end logits perturbation method for watermarking LLM-generated text. By jointly optimization, our approach achieves a better balance between quality and robustness. To address non-differentiable operations in the end-to-end training pipeline, we introduce an online prompting technique that leverages the on-the-fly LLM as a differentiable surrogate. Our method achieves superior robustness, outperforming distortion-free methods by 37-39% under paraphrasing and 17.2% on average, while maintaining text quality on par with these distortion-free methods in terms of text perplexity and downstream tasks. Our method can be easily generalized to different LLMs.