What is C2PA? A Guide to Content Credentials and Content Provenance
C2PA (Coalition for Content Provenance and Authenticity) is an open technical standard for verifying the origin and edit history of digital content. Established in 2021, C2PA enables cameras, software, and AI tools to attach tamper-evident metadata, known as Content Credentials, to images, video, audio, and documents, so anyone can trace where a piece of media came from and how it has been altered.
What is C2PA?
C2PA stands for the Coalition for Content Provenance and Authenticity. It is both the name of the open technical standard and the industry body that maintains it. The standard defines how digital content can carry a verifiable record of where it came from, who made it, what tools were used, and how it has been changed along the way.
The problem C2PA solves is straightforward: in an era of generative AI and easy manipulation, we can no longer assume that a photograph, video, or document is what it appears to be. Traditional metadata is unreliable. It can be edited, stripped, or fabricated, and most social platforms remove it on upload. C2PA addresses this by binding metadata to content using cryptographic signatures, making any tampering detectable.
The full technical specification is published openly at c2pa.org and is free for any organization to implement. It covers images, video, audio, PDFs, and other file types, and is designed to work across the full content lifecycle, from the camera that captures an image to the platform that publishes it.
Who created C2PA?
C2PA was founded in 2021 by Adobe, Microsoft, BBC, Intel, Truepic, and Arm. Today its members include major camera manufacturers, AI companies, news organizations, and platform operators. The closely allied Content Authenticity Initiative (CAI), led by Adobe, and of which Fotoware is a member since 2023, advocates for C2PA adoption, while the International Press Telecommunications Council (IPTC) coordinates implementation in the news industry.
How does C2PA work?
At its core, C2PA works by attaching a tamper-evident record, called a manifest, to a piece of digital content. The manifest travels with the file and contains a cryptographically signed history of how the content came to be. Any tool that supports C2PA can read this manifest, verify its signatures, and display the result to the viewer.
The process starts at creation. When a C2PA-enabled camera captures an image, or a C2PA-enabled AI tool generates one, the device or software writes a manifest into the file. The manifest records who or what created the content, when, and with what tool. It is signed using a digital certificate issued by a trusted authority, much like an HTTPS website is signed.
As the content moves through editing and distribution, each step can add its own signed manifest. If a photographer crops an image in Photoshop, Photoshop appends a new assertion describing the crop and signs it. If an editor adds a caption in a DAM system, that action can be recorded too. The result is a verifiable chain of custody from capture to publication.
To survive the loss of metadata, which happens when files are screenshotted, re-encoded, or uploaded to platforms that strip metadata, C2PA also supports soft bindings. These use watermarks or perceptual fingerprints to link a file back to its manifest even when the embedded data is gone.
What do Content Credentials show?
When a viewer encounters a piece of content with valid Content Credentials, they can inspect it and see:
- Who created it: the named creator or publishing organization
- What captured or generated it: the camera model, software, or AI tool
- When and where it was created, if the capture device recorded it
- What edits were made: crops, color adjustments, retouching, AI-assisted changes
- Whether AI was involved: clearly flagged if any generative AI was used
- Who signed each step: the certificate authority behind each assertion
If any part of the file has been altered after signing, the verification fails and the viewer is alerted. Credentials cannot be silently changed.
Read more: Content Authenticity: How to protect trust in the digital age
C2PA vs Content Credentials vs Content Authenticity Initiative
People often use C2PA, Content Credentials, and Content Authenticity Initiative interchangeably, but they refer to three different things. Understanding the distinction makes it easier to evaluate tools, partners, and adoption claims.
C2PA is the open technical standard. It defines the file format, the cryptographic methods, and the rules for how a manifest is created, signed, and verified. When a vendor says their product is C2PA-compliant, they mean it follows this specification.
Content Credentials is the user-facing implementation of the C2PA standard. It is the "CR" pin icon that appears on images in Adobe Photoshop, on LinkedIn, or in news outlets that have adopted the technology. When a creator or viewer interacts with C2PA in practice, they almost always encounter it through Content Credentials.
The Content Authenticity Initiative (CAI) is the advocacy and adoption coalition founded by Adobe in 2019. It promotes content provenance across the industry, develops open-source tools, and supports the broader rollout of C2PA. CAI is not the standard itself; it is the community of organizations pushing for its use.
Why C2PA matters: AI, regulation, and the trust crisis
The case for C2PA is rooted in a measurable decline in trust. According to the 2025 Edelman Trust Barometer, 70% of respondents worry that journalists and reporters intentionally mislead the public. The Reuters Institute Digital News Report 2025 found that 58% of audiences are concerned about the authenticity of the news they consume. The World Economic Forum's Global Risks Report 2025 identifies misinformation and disinformation, fueled by AI-generated content, among the top global risks for the next two years.
Generative AI is the accelerant. Tools that produce photorealistic images, video, and audio at scale have made fabricated media easy to create and difficult to identify. Recent studies show how limited human detection really is: in one large test, only 0.1% of participants correctly identified all real and manipulated content, and people were about 36% less likely to spot fake videos than fake images (iProov, 2025). Other research confirms that accuracy is often close to chance (Somoray, Miller & Holmes, 2025). Without a verifiable record of how a piece of content was made, audiences are left to guess.
C2PA gives them something to check. By making provenance verifiable at the point of viewing, it lets newsrooms, brands, and platforms separate authentic content from synthetic or manipulated content. It does not prove that an image is true, but it does prove who created it, what was done to it, and whether anything has changed since.
Read more: The crisis of trust in digital content: GenAI and Content Authenticity
C2PA and the EU AI Act
Regulators are starting to require this kind of transparency. The European Union's AI Act, which entered force in 2024, mandates that AI-generated and AI-manipulated content be clearly labeled. Article 50 of the EU AI Act sets out obligations for providers and deployers of generative AI to mark their outputs in a machine-readable way, and C2PA is widely regarded as the most viable open standard for meeting this requirement. Similar labeling rules are emerging in the United States, the United Kingdom, and other markets.
Where C2PA stands today
C2PA has moved quickly from concept to production. Adoption is accelerating across cameras, AI tools, editing software, and publishing platforms, and a growing set of pilots shows how the standard holds up across real publishing workflows.
The next phase of adoption is about extending provenance across the entire content lifecycle journey. Today, some social networks and content management systems do not yet preserve C2PA manifests when files are uploaded or re-encoded, so the strongest results come from controlling as much of the pipeline as possible. Soft bindings, such as watermarks and fingerprints, together with rapidly expanding platform support, are steadily closing that gap.
So for now, organizations that want end-to-end provenance need to control as much of their pipeline as possible and choose tools that participate in the C2PA standard.
C2PA in action: the Reuters, Canon, and Starling Lab project
What exists in production today is a small but growing set of pilots demonstrating how C2PA holds up across a real publishing workflow. One of the most prominent examples of an end-to-end workflow involves Reuters, Canon, and Starling Lab, with Fotoware DAM serving as the system of record between capture and distribution.
In that workflow, a photojournalist captures an image on a Canon camera fitted with a cryptographic key. At the moment of capture, the camera signs the image with verifiable metadata including a timestamp, location, and device identifier. The authenticated image is then ingested directly into Reuters' Fotoware Digital Asset Management system, where it can be reviewed, captioned, and routed for distribution without breaking the signature chain. The signature is also registered on a public blockchain, so consumers and verifiers downstream can confirm the image is the same one the photographer captured.
Read more about the Reuters, Canon, and Starling Lab project here. >
How a DAM fits into the C2PA workflow
This kind of workflow points to a broader truth: C2PA only works if every stage of the content lifecycle preserves the manifest. A signed image that loses its provenance data the moment it enters a CMS or DAM offers no more trust than an unsigned one. For organizations that produce, edit, and distribute media at scale, the Digital Asset Management system becomes a critical link in the chain.
— "The DAM is responsible for recording and maintaining the conformance, compliance, rights, permissions and all the things you do along the life cycle of an asset. But more than that, simplifying it for end users, customers and partners. The responsibility for the DAM is to simplify it."
On this page