Guide

What is C2PA and Content Credentials?

Tamper-evident provenance for images, explained

C2PA is an open standard for attaching a secure, tamper-evident record of origin to media. The consumer-facing name is Content Credentials. Here’s what it is, how it works and why it matters — then how to add and verify it.

Try it: add a C2PA certificate to an AI image, then verify any image in the free viewer.

What is C2PA?

C2PA (the Coalition for Content Provenance and Authenticity) is a technical standard, backed by companies like Adobe and Microsoft, that binds provenance information to a file using cryptographic signatures. The signed information is a manifest; the friendly brand is Content Credentials.

How does it work?

A manifest describing the asset (for example, that it was AI-generated, by which tool and when) is cryptographically signed and embedded in the file. If the image is later altered, the signature no longer matches, so tampering is detectable. A trusted timestamp records when it was signed, and any C2PA-aware tool — including the ExifGhost viewer — can verify it.

What is it for, and why do it?

Provenance — show where an image came from and how it was made.
AI transparency — mark AI-generated content in a machine-readable way (see labeling & the law).
Trust — give viewers a verifiable signal instead of a claim that can be edited away.

Common questions

How do I add a C2PA credential to an image?

Use the Certify page: upload your image, and ExifGhost signs it in memory with a C2PA manifest (marking it AI-generated, with a trusted timestamp) and returns it — the file is never stored.

How do I verify or check Content Credentials?

Drop the image into the free viewer. It performs full cryptographic C2PA verification and shows the signer, time and whether the content is intact.

What does “untrusted signer” mean?

It means the signer’s certificate isn’t on a recognised public trust list yet. The credential is still readable and its integrity is still verified — “untrusted” does not mean the image was tampered with.

Can a C2PA credential be faked or removed?

It can be stripped (like any metadata), but it cannot be silently altered: any change breaks the cryptographic signature, which is what makes it tamper-evident.

Does C2PA prove an image is real?

No. It records and signs a claim about origin and edits, proving the claim hasn’t been altered since signing — not that the claim itself is “true”.

Which file types support C2PA?

Common raster formats such as JPEG and PNG. ExifGhost signs and verifies these.

More guides: Image metadata · Remove metadata · C2PA · AI labeling & the law · All guides

What is C2PA and Content Credentials?

What is C2PA?

How does it work?

What is it for, and why do it?

Common questions

Welcome back