Content Provenance (C2PA)

A cryptographically signed record of where a file came from — proving what device or model made it, instead of guessing from pixels whether it is AI-generated.

On this page

Definition

Content provenance is a verifiable record of where a piece of media came from — what device or AI model produced it, when, and what edits were applied since — attached to the file and cryptographically signed so that it can be checked rather than merely believed.

C2PA is the open standard that defines this record, maintained by the Coalition for Content Provenance and Authenticity, whose members include Adobe, Microsoft, Google, OpenAI, the BBC and most major camera manufacturers. Content Credentials is the consumer-facing name for the same thing.

The idea inverts the usual approach to synthetic media. Instead of examining an image and guessing whether an AI made it — the approach taken by deepfake detectors, which is losing ground with every model release — provenance asks the file to carry its own history. Verification becomes a signature check rather than a statistical inference, and unlike a detector, a signature check does not get worse when a better generator ships.

How It Works

A C2PA-enabled camera or generative model builds a manifest at the moment of creation. The manifest holds assertions: which device or model produced this, at what time, and what actions were taken on it — cropped, colour-corrected, generated from a prompt, edited with a generative fill tool.

That manifest is hashed and signed with a certificate belonging to the producer. Anyone can then verify two things: that the manifest has not been altered since signing, and that the certificate belongs to who it claims to. Editing software that supports the standard appends its own signed step, so the file accumulates a chain of custody rather than a single stamp.

The question of whose signature counts is handled by a trust list — the registry of certificates a validator is willing to accept. This layer was rebuilt for 2026: C2PA froze its older Interim Trust List on 1 January 2026, and new signing certificates now come only through its formal Conformance Program. Content signed under the old list still validates, so this is a transition rather than a cutover — but it is a deliberate tightening of who is allowed to make a claim.

The standard's weak point is obvious once stated: metadata can be removed. A screenshot destroys it, and many platforms strip it on upload. This is why provenance is increasingly paired with watermarking, which hides the signal inside the content instead of beside it.

Types

  • Hard binding: the signed manifest is embedded directly in the file. Rich and fully verifiable, but destroyed by a screenshot or a metadata-stripping upload.
  • Soft binding: the file carries only an identifier, and the manifest is fetched from a cloud store. This survives some processing that would strip full metadata.
  • Invisible watermarking: a pattern embedded in the content signal itself. Google DeepMind's SynthID biases a language model's token sampling toward a secret statistical pattern for text — a method published in Nature in 2024 and since open-sourced — and embeds imperceptible patterns in images and audio. It survives cropping and light editing, but degrades when text is rewritten or translated.
  • Perceptual fingerprinting: a robust hash of the content, matched against a database of known originals. Requires no cooperation from the file itself, but only recognizes content that has been registered.

Real-World Applications

  • Cameras that sign at capture. Canon supports Content Credentials on the EOS R1 and R5 Mark II; Sony on the Alpha 1 II and Alpha 9 III; Leica on the M11-P and SL3-S. Note the model suffixes — the base variants are not the signing ones, and provenance support is currently a premium-body feature rather than a default.
  • Generative models that label their own output. OpenAI signs C2PA credentials into content from DALL·E 3, its image model and Sora. On 19 May 2026 it announced it was additionally embedding SynthID watermarking through a partnership with Google DeepMind, alongside a public verification tool.
  • Platforms that check. Google announced on the same day that SynthID verification had gone live in the Gemini app and was reaching Search, with Chrome following — and that C2PA Content Credentials verification was beginning in Gemini, with Search and Chrome named for the months after. Verification moving into the browser and the search box is what makes provenance useful to ordinary readers rather than to forensic analysts.
  • Newsrooms and wire services, which sign photojournalism at capture so that a downstream publisher can prove an image came from a staff photographer's camera and was not altered en route.
  • Regulatory compliance. China's labeling measures, in force since 1 September 2025, require an embedded metadata label identifying the provider of AI-generated content, alongside a visible one. Article 50 of the EU AI Act, applying from 2 August 2026, requires providers of generative AI systems to mark synthetic output in a machine-readable format. C2PA and SynthID are the mechanisms the industry built to satisfy exactly those clauses.

Challenges

  • Absence of a credential proves nothing. Almost all media in circulation is unsigned, so a "no Content Credentials found" result is not a red flag — it is the normal case. A user interface that shows that warning constantly trains people to ignore it, which is the opposite of what the standard is for.
  • Metadata is fragile by design. A screenshot, a recompression or an upload to a platform that strips metadata removes a hard-bound manifest entirely. Provenance survives the pipeline it controls and dies in the one it does not.
  • A compromised key is worse than no key. Nikon shipped C2PA firmware for the Z6III and then suspended the program in September 2025 after a forgery vulnerability was discovered. A system that can be tricked into signing a fake does not merely fail — it actively launders the fake, lending it the authority the credential was meant to confer. The rebuilt Conformance Program is a direct response to this class of failure.
  • Provenance can be a privacy liability. A signed record of which device took a photo, and when, is exactly the metadata a whistleblower or a photojournalist in a hostile jurisdiction needs to not be attached. The standard permits redaction of assertions, but the tension between proving origin and protecting a source is structural, not a bug to be patched.
  • Adoption is the whole game. A provenance standard is worth precisely what its coverage is, and coverage today is thin: a handful of camera bodies, the major generative models, and a browser rollout still in progress.
  • Regulation is forcing the timeline. The EU's machine-readable marking requirement gives provenance a compliance deadline rather than a business case, which is a far stronger adoption driver.
  • The stack is converging. OpenAI and Google publishing on the same standard on the same day is the clearest signal that provenance is not being treated as competitive territory. A provenance system that only one vendor honours is worthless, and the labs appear to know it.
  • Belt and braces. The emerging consensus is not C2PA or watermarking but both: signed metadata for rich, verifiable history, and an embedded watermark as the fallback that survives a screenshot.
  • Verification moves to where people actually look. Provenance only changes behaviour if checking is one click inside a browser or a search result, not a trip to a specialist tool.

For how provenance compares with pixel-level detection in practice, see How AI-Generated Video, Photo and Text Are Actually Detected.

Frequently Asked Questions

C2PA is the technical standard, maintained by the Coalition for Content Provenance and Authenticity. Content Credentials is the consumer-facing brand for the same thing — the little 'cr' icon and the panel that shows a file's signed history. In practice the terms are used interchangeably.
No, and this is the standard's biggest usability problem. The overwhelming majority of media on the internet is unsigned, and most platforms strip metadata on upload. Absence of a credential means unknown provenance, not synthetic origin.
C2PA attaches signed metadata alongside the file, which is rich and verifiable but can be stripped. SynthID embeds an imperceptible pattern inside the content itself, which survives cropping and screenshots but carries far less information. They are complementary, and major labs now ship both.
The signature itself is cryptographically sound, but the system is only as strong as the keys behind it. Nikon suspended its C2PA camera program in September 2025 after a forgery vulnerability was found — a fraudulently signed file is more dangerous than an unsigned one, because it launders a fake into a credential.
Increasingly, yes. China has required embedded metadata labels on AI-generated content since 1 September 2025. In the EU, Article 50 of the AI Act requires providers of generative AI systems to mark synthetic output in a machine-readable format from 2 August 2026 — a requirement that standards like C2PA and SynthID exist to satisfy.

Continue Learning

Explore our use-case guides and prompts to deepen your AI knowledge.