How to C2PA Verify Image and Video Origins

What Is C2PA Verification?

C2PA verification is the process of reading and validating the signed provenance manifest embedded inside a digital media file. The Coalition for Content Provenance and Authenticity (C2PA) defines an open technical standard — currently at version 2.2 — that lets cameras, software, and AI tools embed a tamper-evident record of where a file came from, which software created or edited it, and whether any generative AI was involved. Verification tools decode that record and validate the cryptographic signature to confirm the data has not been altered since it was signed.

The standard uses a C2PA Manifest — a JSON structure embedded directly in the file — containing one or more assertions. Each assertion is a signed statement about the asset: creation time, authoring software, applied edits, AI generation status, or copyright information. The manifest is signed with a certificate issued by the creating organization (e.g., Samsung, Google, Adobe, OpenAI), and that certificate chains back to a root on the C2PA Trust List.

Method 1 — C2PA Viewer (Browser-Based, No Upload Required)

C2PA Viewer processes files entirely in your browser using WebAssembly — no file leaves your device. Upload a JPEG, PNG, WebP, TIFF, HEIC, MP4, MOV, or other supported format via drag-and-drop or the file browser, and the tool immediately extracts and displays the complete raw C2PA manifest in JSON format.

The output includes: creator identity and contact info (if provided), software agent and version, device model, creation and modification timestamps, action history (created, edited, published), AI generation assertions, and the full cryptographic signature chain. If the signature is valid, the tool confirms the manifest is intact. If the signature is broken or the certificate is unrecognized, the tool flags it explicitly.

C2PA Viewer supports the broadest format range of the three methods covered here, including AVIF, DNG, HEIF, SVG, AVI, M4A, MP3, WAV, and PDF in addition to the standard image and video formats.

Method 2 — ContentCredentials.org (Consumer-Friendly Interface)

ContentCredentials.org, maintained by the Content Authenticity Initiative (CAI), provides a streamlined verification experience aimed at general audiences. Drag and drop a file or click "Select a file from your device" to upload it. The tool presents a human-readable summary of the embedded credentials: the creator's name, the software or platform used, whether generative AI was involved, and the edit history.

The CAI also publishes the open-source Content Authenticity Verify tool at verify.contentauthenticity.org, which uses the same underlying C2PA library. This tool is particularly useful for verifying credentials from AI platforms: ChatGPT images generated with DALL-E 3, for example, include a C2PA manifest that identifies them as AI-generated, which ContentCredentials.org renders clearly in its UI.

The key trade-off: ContentCredentials.org does upload your file to a remote server for processing, unlike C2PA Viewer's client-side approach. For sensitive images, C2PA Viewer's in-browser processing is the more privacy-preserving option.

Method 3 — c2patool CLI (Command Line, Developer and Power Users)

c2patool is the open-source command-line tool for C2PA verification, maintained by the Content Authenticity Initiative in partnership with Adobe. Install it via Rust's package manager:

cargo install c2patool

To verify a file and print a high-level report:

c2patool photo.jpg --info

To output the full manifest JSON:

c2patool photo.jpg

To verify against a specific trust list:

c2patool photo.jpg trust --trust_anchors my-trust-anchors.pem

Note: As of December 2024, active development on c2patool has moved to the contentauth/c2pa-rs repository. The c2patool binary still functions for verification purposes, and new releases continue to ship via crates.io.

Step-by-Step: Verifying a File with C2PA Viewer

Follow these steps to inspect any C2PA-signed image or video using C2PA Viewer:

1. Open C2PA Viewer at c2paviewer.com. No account or installation required.
2. Upload your file by dragging it onto the drop zone or clicking to browse. Supported formats include JPEG, PNG, WebP, TIFF, HEIC, AVIF, DNG, MP4, MOV, MP3, WAV, and PDF.
3. Check for a manifest. The tool immediately reports whether a C2PA manifest is embedded. If none is found, it states this clearly — the file simply lacks provenance data, which does not indicate manipulation.
4. Read the content credentials. If a manifest exists, review the assertions: creator name or organization, software agent (camera app, editing tool, AI model), device model, creation timestamp, and any listed edits.
5. Validate the signature. Confirm the cryptographic signature status. A valid signature means the manifest has not been altered since it was signed by the issuing organization. An invalid or broken signature means the file was modified after signing.
6. Check AI assertions. Look for AI generation or training assertions in the manifest. These identify whether the content was AI-generated, which model was used, and whether the creator has restricted AI training use.
7. Review the action history. The actions array lists every recorded event in chronological order: created, color-corrected, edited, cropped, published. Timestamps on each entry reveal the full timeline from capture to current state.

Verification Tool Comparison

Each tool serves a different use case. The table below summarizes the key differences:

What C2PA Can and Cannot Tell You

C2PA verification confirms the provenance chain — who created the file, with what tool, and whether the record has been tampered with. It does not verify factual accuracy. A photo of a real event with a valid C2PA signature from a verified camera is still a photo of that event; C2PA does not assess what the image depicts.

Key limitations to understand:

• No manifest does not mean fake. The vast majority of images online have no C2PA data because most cameras and editing tools do not yet embed it. Consumer smartphones only began adding C2PA support in 2025 (Samsung Galaxy S25) and later (Google Pixel 10).
• Stripped metadata is detectable. Removing a manifest breaks the signature chain. Verification tools flag the broken or absent signature, making removal itself a signal.
• Credentials confirm origin, not truth. An AI-generated image with a valid C2PA manifest from OpenAI is verifiably AI-generated by OpenAI — C2PA tells you that accurately. What the image depicts is a separate question.
• Trust list coverage is growing. Not all issuers are on the C2PA Trust List. Some manufacturer certificates — including Samsung's at Galaxy S25 launch — are issued by organizations not yet formally verified by the C2PA Conformance Program.

Which Devices and Software Now Embed C2PA Metadata?

C2PA adoption accelerated significantly in 2025. Hardware and software currently embedding C2PA Content Credentials includes:

• Samsung Galaxy S25 (announced January 22, 2025) — tags AI-edited photos via One UI 7 Galaxy AI tools
• Google Pixel 10 (announced September 10, 2025) — tags all photos by default using Tensor G5 and Titan M2 hardware; achieved C2PA Assurance Level 2
• OpenAI / ChatGPT — DALL-E 3 generated images include C2PA manifests identifying AI authorship
• Adobe Firefly and Adobe Photoshop — embeds credentials on AI-generated and edited content
• Sony Alpha cameras (α9 III, α1 II) — opt-in C2PA signing at capture
• Leica M11-P — C2PA enabled by default at capture
• Microsoft Azure OpenAI — Content Credentials on DALL-E outputs
• Cloudinary — adds and passes through C2PA metadata in media workflows

Frequently Asked Questions

References

1. C2PA Specification 2.2 — Explainer
2. ContentCredentials.org — Content Authenticity Initiative
3. c2patool — Open-Source C2PA Command Line Tool
4. Content Authenticity Verify — Official CAI Verification Tool
5. C2PA in ChatGPT Images — OpenAI Help Center
6. c2patool GitHub Repository — contentauth/c2patool