TL;DR
- Browser (no install): Use c2paviewer.com — drag and drop a file, click Raw Manifest to read the full JSON
- CLI (advanced): Run
c2patool image.jpgfor standard output orc2patool image.jpg -dfor detailed JUMBF-level data - Key difference from verification: Inspection reads what is in the manifest; verification checks if the cryptographic signature is valid
- Privacy: Browser tools process files locally — no server uploads
In an era of AI-generated content and digital manipulation, knowing how to inspect C2PA metadata is a critical skill for journalists, content creators, legal professionals, and developers. Inspection goes beyond a simple pass/fail verification — it gives you direct access to the raw provenance data embedded in a file, including every assertion, action, and signature detail. This guide covers every method available in 2026, from no-install browser tools to the official command-line utility.
What is C2PA Inspection?
C2PA inspection is the process of reading the detailed provenance information stored in a file's C2PA manifest. The Coalition for Content Provenance and Authenticity (C2PA) standard — currently at specification version 2.3 (2025) — defines a manifest format that embeds provenance data directly in supported file types. When you inspect a C2PA file, you access:
- Content credentials — who created the file and when
- Action history — every edit, transformation, and modification recorded since the first signing
- Software agents — the applications and tools used in creation
- AI generation markers — whether AI tools were involved
- Cryptographic signatures — the X.509 certificate chain used to sign the manifest
- Assertion data — individual claims including training-mining consent, geolocation, and more
Inspecting vs. Verifying — Key Difference
| Action | What it does | Output |
|---|---|---|
| Inspection | Reads and displays the raw manifest content | JSON data — all assertions, actions, metadata |
| Verification | Checks the cryptographic signature | Valid / invalid / no data status |
Both C2PA Viewer and c2patool perform inspection and verification simultaneously. The C2PA official tool (verify.contentauthenticity.org) performs verification but does not expose the raw manifest for inspection.
Why Inspect C2PA Metadata?
Journalism and Media
Verify source material authenticity, trace image origins, detect manipulated content before publication, and confirm AI involvement in visual assets.
Legal and Forensics
Establish chain of custody for digital evidence, verify document authenticity, and extract tamper-evident timestamps for litigation support.
Creative Professionals
Protect intellectual property, prove ownership of original work, verify training-mining consent flags, and track unauthorized modifications.
Developers and Researchers
Debug C2PA implementations, study assertion structures, validate manifest creation tools, and build verification integrations using the raw JSON.
C2PA Inspection Methods: Compared
| Tool | Type | Raw Manifest | No Install | Batch | Skill Level |
|---|---|---|---|---|---|
| C2PA Viewer | Browser | Yes | Yes | No | Beginner–Advanced |
| verify.contentauthenticity.org | Browser | No | Yes | No | Beginner |
| c2patool (CLI) | Command-line | Yes | No | Yes | Advanced |
| c2pa-rs (Rust library) | Library | Yes | No | Yes | Developer |
Method 1: Browser-Based Inspection (Recommended)
Browser tools are the fastest way to inspect C2PA metadata for one-off files. They process everything locally using WebAssembly — no file leaves your device.
C2PA Viewer (c2paviewer.com)
The C2PA Viewer provides full access to the raw JSON manifest, making it the best browser option for technical analysis. It uses the official c2pa-js library (powered by c2pa-rs compiled to WebAssembly).
- Raw manifest extraction — view the complete JSON with syntax highlighting
- Structured summaries — author, software, AI usage automatically extracted from assertions
- Validation status — cryptographic signature result with error details
- Client-side only — files never leave your browser
- No registration — start inspecting immediately
- Mobile-friendly — works on iOS and Android browsers
verify.contentauthenticity.org (Official CAI Tool)
The official Content Authenticity Initiative (CAI) verification tool provides a polished visual interface. It is suitable for general users but has a key limitation:
- Does not expose the raw JSON manifest — only shows processed, human-readable output
- Cannot access individual assertion data or JUMBF hashes
- Not suitable for debugging or technical analysis
- Best for: quick visual checks and sharing results with non-technical audiences
Method 2: Command-Line Inspection with c2patool
For developers, researchers, and anyone needing batch processing or deeper analysis, the c2patool command-line utility is the most powerful option. It is maintained by the Content Authenticity Initiative at github.com/contentauth/c2patool. As of December 2024, active development has moved to the contentauth/c2pa-rs repository.
Installation
Option A — Cargo (Rust package manager):
Option B — Pre-built binaries: Download the latest release for your OS from the GitHub releases page. Binaries are available for macOS (Intel and Apple Silicon), Linux, and Windows.
Core Inspection Commands
Standard manifest inspection (JSON output):
Outputs a simplified JSON report of the C2PA manifest to stdout. Append > manifest.json to save to a file.
Detailed inspection (JUMBF-level data):
Detailed mode (-d) outputs data more closely reflecting the binary manifest structure, including JUMBF URLs and assertion hashes.
Manifest store info (size and manifest count):
Save extracted manifest to file:
Supported Formats (c2patool)
Method 3: Mobile Inspection
C2PA Viewer works on all modern mobile browsers (iOS Safari, Android Chrome). Upload photos directly from your device gallery or camera roll. Processing is fully local — no server uploads, no app install. The interface is touch-optimized for easy navigation of the manifest sections.
Step-by-Step: Inspect C2PA Metadata in Browser
Step 1: Open C2PA Viewer
Go to c2paviewer.com. No registration, downloads, or plugins needed. Works on Chrome, Firefox, Safari, and Edge.
Step 2: Upload Your File
Choose a method:
- Drag and drop onto the upload zone (desktop)
- Click Browse Files to select from your device
- Try Sample to use a preloaded C2PA-enabled image for exploration
Step 3: Wait for Manifest Extraction
The c2pa-js WebAssembly library extracts the manifest locally. This takes 1–3 seconds for most images and up to 10 seconds for large videos or files with long edit histories. A progress log shows the current phase.
Step 4: Review the Structured Sections
Once extraction completes, the viewer displays automatically parsed sections:
- Validation status — valid, corrupted, or no data
- Author / Signer — from the signing certificate
- Software agents — applications declared in assertions
- AI generation — whether AI tools were declared
- Action history — chronological list of recorded edits
- Thumbnails — embedded images from each signing event
Step 5: Expand the Raw Manifest
Click the Raw Manifest section to view the complete JSON. This is the full, unprocessed manifest equivalent to c2patool output. Key paths to inspect:
active_manifest— label of the current manifestmanifests[label].signature_info— issuer, cert chain, timestampmanifests[label].assertions— all individual claimsmanifests[label].validation_status— errors array (empty = valid)
Step 6: Copy or Export the JSON
Select and copy the raw JSON for external analysis, documentation, or comparison with other files. The JSON can be pasted into any text editor or JSON analysis tool for further work.
Privacy guarantee: All inspection runs entirely in your browser using WebAssembly. Your files are never uploaded to any server and remain completely private.
Understanding the Manifest Sections
active_manifest
The label of the current, most recent C2PA manifest in the manifest store. The manifest store can contain multiple manifests representing each signing event in the file's history.
signature_info
Contains the signing authority name (from the X.509 certificate), the full certificate chain, and the signing timestamp. Use the issuer name to cross-reference against the C2PA Trust List (launched mid-2025).
assertions — c2pa.actions
A chronological list of all operations recorded in the manifest. Each entry has an action field (e.g., c2pa.created, c2pa.edited, c2pa.transcoded), a when timestamp, and a softwareAgent string.
assertions — c2pa.training-mining
Declares the creator's consent or restriction for using the content to train AI models. The values are allowed, notAllowed, or constrained. Only accessible via raw manifest inspection — not shown in visual summary tools.
validation_status
An array of validation results. An empty array means all cryptographic checks passed. Individual entries include an error code and explanation. Common codes: claimSignature.mismatch, assertion.hashedURI.mismatch.
ingredients
References to other files that contributed to this content — for example, the source images used in a composite, or the original before AI editing. Each ingredient can have its own manifest, enabling a full chain-of-custody trace back to original sources.
Frequently Asked Questions
What does it mean to inspect C2PA metadata?
Inspecting C2PA metadata means examining the detailed provenance information embedded in a file's manifest — including the full JSON structure, cryptographic signatures, action history, and all assertion data. Inspection shows you what is in the manifest, while verification confirms whether the signatures are cryptographically valid.
What is the difference between inspecting and verifying C2PA files?
Inspection reads the raw manifest content — all assertions, actions, and metadata. Verification runs the cryptographic signature check to confirm authenticity. Full analysis requires both. C2PA Viewer and c2patool perform both simultaneously. The official Content Credentials tool only verifies, not inspects.
Can I inspect C2PA metadata without uploading files to a server?
Yes. C2PA Viewer processes all inspection locally in your browser using WebAssembly. The c2patool CLI also runs entirely on your local machine. Neither tool transmits your files to any external server.
Which file formats support C2PA inspection?
Browser tools support JPEG, PNG, WebP, TIFF, MP4, and MOV. c2patool additionally supports HEIC, AVIF, PDF, MP3, WAV, and AVI. JPEG is the most common format used by C2PA-enabled cameras (Sony, Leica) and AI tools (Adobe Firefly, Google ImageFX).
Why does verify.contentauthenticity.org not show the raw manifest?
The official CAI tool is designed for general consumers and focuses on a visual, human-readable presentation. It intentionally hides the raw JSON structure to simplify the experience. For full technical access, use C2PA Viewer or c2patool.
What is in the c2pa.actions assertion?
The c2pa.actions assertion contains a chronological list of all recorded operations: creation, editing, transcoding, publishing, and more. Each action entry includes an action type, a timestamp, and the software agent that performed the action — providing a tamper-evident edit history embedded directly in the file.
Start Inspecting C2PA Files Today
Use the free C2PA Viewer to inspect raw manifest data from any C2PA-enabled image or video — directly in your browser, with full JSON access.
Related Articles
How to Use the C2PA Viewer
Complete walkthrough of every feature in the C2PA Viewer tool.
How to Verify C2PA Content
Step-by-step guide to verifying content credentials and understanding results.
What is a C2PA Manifest?
Structure and components of C2PA manifests explained in detail.
What is C2PA?
The fundamentals of the C2PA standard and how it protects digital content.