- What it is: C2PA gives every generated asset a signed chain of custody (model identity, input hashes, transforms applied) so downstream consumers can verify origin without trusting the sender.
- Why it matters: Consent and provenance are about to become regulated requirements in major markets (EU AI Act transparency provisions, US NO FAKES Act framework), so “we didn’t think about this” is no longer a safe starting point for a new synthetic-media pipeline.
- The gotcha: manifests and watermarks address different threat models and degrade differently. Shipping one without understanding the other leaves real gaps; the section “the hard part” covers exactly where each breaks.
Who this is for: engineers and architects building or auditing pipelines that generate, remix, or transform images, audio, or video using generative models. You should be comfortable with HTTP APIs, object storage, and a little JSON signing vocabulary. You do not need a background in law: the goal here is the engineering surface, not legal advice.
The problem shows up at 3am, not in the design review
Imagine your team ships a voice synthesis feature. Users upload a short clip, the model clones the voice, the generated audio goes out the API. Six months later a takedown request arrives: a creator claims their voice was used without consent. Your logs show API calls and output files. You do not have the input hash, the model version at inference time, or any record of what consent signal (if any) the submitting user provided. You cannot reconstruct the audit trail the legal team needs.
This is not a hypothetical edge case. It is the default outcome of building generative pipelines without deliberate provenance instrumentation. The good news is that the apparatus to prevent it exists and is increasingly standardized. The harder news is that you have to wire it in: it does not come for free with any current foundation model API.
The two interlocking problems are consent and provenance. Consent is a claim about permission: was this person’s likeness, voice, or copyrighted material legitimately available for this use? Provenance is a claim about origin: what inputs and transformations produced this output, and who attested to that? Both problems enter at different stages of the pipeline, and solving one does not solve the other.
Mechanics: where consent and provenance enter the pipeline
A typical synthetic-media pipeline has three stages where these problems require explicit engineering choices. Figure 1 shows the structure; the sections below walk each stage.
flowchart TD
A[Training data ingestion] -->|consent signal in metadata| B[Model training / fine-tuning]
B -->|model identity + version| C[Inference request]
C -->|input hash + consent attestation| D[Generation]
D -->|C2PA manifest sign| E[Signed asset + watermark]
E --> F[Storage / distribution]
F -->|audit query| G[Takedown / compliance check]
style A fill:#e8f4f8
style C fill:#e8f4f8
style E fill:#d4edda
Figure 1. The three consent and provenance decision points in a generative pipeline. Blue nodes are where consent signals must be captured or verified; green is where provenance is cryptographically anchored.
Stage 1: training data and consent signals
Consent problems enter at dataset construction. The most common source is web crawl data, where content was published under some implicit or explicit license but that license was never propagated into the training pipeline in a machine-readable form.
C2PA and Adobe’s Content Credentials standard define a metadata layer that creators can attach to files to express permitted uses, including opting out of generative AI training. The c2pa.training-mining assertion in the C2PA specification provides a structured field for exactly this signal. In practice, very little content published before 2024 carries these assertions, but a growing set of dataset providers are building consent into their licensing chains going forward. Getty Images’ licensed generative offering and Shutterstock’s contributor program both anchor consent at the licensing agreement level and expose it to downstream users.
The minimum viable approach for a team that cannot re-curate an entire training set is to document what consent signals were available (or unavailable) during dataset construction, and to carry that documentation forward as part of the model card. A model card that says “trained on Common Crawl from 2023; no C2PA opt-out filtering was applied” is more honest, and more auditable, than silence.
Stage 2: inference-time consent attestation
At inference time, the question shifts from “was this training data licensed” to “does the person whose likeness or voice is being used consent to this specific use.” This is particularly acute for face synthesis, voice cloning, and style transfer.
The engineering hook here is the request payload. A pipeline that captures, at request time, a consent token or reference (something that ties the specific request to a verified consent record) can reconstruct that chain later. What form the token takes depends on the use case: it might be a reference to a signed consent record in an identity system, a hash of a terms-of-service acceptance with a timestamp, or an operator-level attestation that the submitting platform has its own consent mechanism.
The US NO FAKES Act framework (advancing through Congress as of early 2026) and the EU AI Act’s transparency provisions for synthetic media are both moving toward requiring this kind of audit trail. The engineering choice now is whether to build the hook into the pipeline from day one or retrofit it under deadline.
Stage 3: output provenance with C2PA manifests
C2PA is a JPEG/PNG/PDF/MP4 metadata standard jointly developed by Adobe, Microsoft, Intel, and a coalition of media organizations. A C2PA manifest is a JSON-LD structure embedded in or sidecar-linked to an asset that records the asset’s provenance chain. Figure 2 shows the internal structure of a manifest.
graph TD
M[C2PA Manifest] --> AS[Asset signature\nJOSE / COSE]
M --> CM[Claim metadata\ntimestamp, claim generator, DC:title]
M --> INS[Ingredient assertions\nhash of each input asset]
M --> ACT[Action assertions\nstep-by-step transforms]
M --> CRA[Creative work assertion\nC2PA creative work type]
M --> TR[Training-mining assertion\nuse permissions]
AS --> CRT[X.509 certificate chain\nlinked to issuer]
Figure 2. The internal structure of a C2PA manifest. The claim is signed with a COSE or JOSE signature linked to an X.509 certificate; ingredient assertions record input hashes so downstream verifiers can detect if inputs were substituted.
The key insight in C2PA is the ingredient assertion. Every input asset referenced during generation gets hashed and recorded. If you generated an image by fine-tuning on a source photograph, the hash of that photograph is in the manifest. This creates a verifiable chain: if someone later asks “what inputs went into this output,” you can reconstruct the answer from the manifest, not from memory.
A C2PA manifest for a generative output looks roughly like this (abbreviated):
{
"claim_generator": "Acme Image Studio/1.4.2 c2pa-rs/0.28.0",
"claim_generator_info": [
{ "name": "Acme Image Studio", "version": "1.4.2" }
],
"assertions": [
{
"label": "c2pa.actions",
"data": {
"actions": [
{
"action": "c2pa.created",
"digitalSourceType": "http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia",
"parameters": {
"description": "Generated from text prompt using diffusion model"
}
}
]
}
},
{
"label": "c2pa.training-mining",
"data": {
"entries": {
"c2pa.ai_generative_training": { "use": "notAllowed" },
"c2pa.ai_inference": { "use": "allowed" }
}
}
}
]
}
The claim_generator string in the JSON above follows a user-agent convention: the application name and version come first, followed by the underlying C2PA engine. c2pa-rs is the core Rust library that does the actual manifest signing and verification; the Python bindings used later in this article wrap it directly. An integrator using those bindings will see c2pa-rs/<version> appended to their own application identifier in every manifest they produce.
The digitalSourceType field is worth calling out. The IPTC digital source type vocabulary defines values that distinguish a photograph from a composite from a generative output. trainedAlgorithmicMedia signals that the content was produced by a generative model, not by a camera. Platforms, browsers, and downstream validators can read this field to surface appropriate UI signals to end users without needing to inspect the image visually.
A worked sign-and-verify flow
The C2PA reference implementation ships as a Rust library (c2pa-rs) with Python and Node.js bindings. A basic sign flow, in Python, looks like this:
import c2pa
# Load cert + key (PEM files your PKI issues)
with open("certs/signing.pem", "rb") as f:
sign_cert = f.read()
with open("certs/signing.key", "rb") as f:
sign_key = f.read()
# c2pa.Signer is the real constructor in c2pa-python
signer = c2pa.Signer(
sign_cert=sign_cert,
sign_key=sign_key,
alg="es256",
tsa_url="http://timestamp.digicert.com",
)
builder = c2pa.Builder({
"claim_generator": "acme-pipeline/2.1",
"assertions": [
{
"label": "c2pa.actions",
"data": {
"actions": [{
"action": "c2pa.created",
"digitalSourceType":
"http://cv.iptc.org/newscodes/digitalsourcetype/trainedAlgorithmicMedia"
}]
}
}
]
})
with open("output.jpg", "rb") as src, open("signed_output.jpg", "wb") as dst:
builder.sign(signer, "image/jpeg", src, dst)
Verification is the other half. A consumer verifying an asset calls c2pa.Reader, which extracts the manifest, validates the signature chain against the embedded certificates, and checks each ingredient hash against the actual bytes. A hash mismatch means the asset was modified after signing. A valid signature from an unknown or expired certificate means the chain of trust is incomplete. Neither case proves the content is “trustworthy” in a human sense: they prove only that the stated provenance has or has not been tampered with since signing.
import c2pa, json
reader = c2pa.Reader.from_file("signed_output.jpg")
manifest_store = json.loads(reader.json())
active = manifest_store["manifests"][manifest_store["active_manifest"]]
print("Claim generator:", active["claim_generator"])
for assertion in active["assertions"]:
print("Assertion:", assertion["label"])
# Ingredient validation is automatic during from_file();
# reader.validations() returns any hash or cert errors
for status in reader.validations():
print("Validation issue:", status)
The hard part: what survives editing and what does not
This is where most teams get a false sense of security. A signed C2PA manifest provides a verifiable chain of custody from the moment of signing forward, but it has three properties that practitioners often misunderstand.
Manifests can be stripped. Any image editor, transcoding tool, or social media platform that re-encodes the asset without C2PA awareness will silently drop the manifest. The JPEG/PNG/MP4 bytes are still valid after stripping; only the sidecar or embedded metadata disappears. Adobe’s Content Credentials cloud service addresses part of this by anchoring a manifest hash to a content credentials ledger so that even if the manifest is stripped from the file, a match can be recovered by hash lookup. But this depends on the pipeline having registered the asset with that service at signing time.
Ingredient hashes cover what was provided, not what was omitted. If a pipeline synthesizes a face from a text prompt and the generation model was trained on unlicensed data, the manifest will accurately record the prompt and the model identifier, but it cannot record whether the model’s training data was licensed. Provenance of the output does not retroactively establish provenance of the model weights.
Consent revocation is not natively supported. C2PA records the consent state at signing time. If a creator later withdraws consent (a real scenario under frameworks like the EU AI Act’s right to object) the manifest does not update. The consent revocation has to be tracked in a separate system (a consent management platform, a takedown registry, a rights management database), and the pipeline has to check that system at query time, not at signing time. This is an operational integration problem, not a C2PA limitation per se, but it is a gap that teams consistently underestimate.
Perceptual watermarking covers a different threat model. Watermarks like Google DeepMind’s SynthID (for images and audio) and Meta’s Stable Signature approach embed a signal directly into pixel or audio data that survives moderate re-encoding, resizing, and JPEG compression. They are not a substitute for C2PA: they survive stripping that would destroy a manifest, but they are not cryptographically signed to a specific identity or time. The right architecture uses both: C2PA for auditable chain of custody, perceptual watermarking as a fallback signal that the content was synthetically generated even after the manifest is gone.
Figure 3 maps which threat each mechanism addresses.
quadrantChart
title Provenance mechanism coverage
x-axis "Survives re-encoding" --> "Fragile to re-encoding"
y-axis "Identity-linked" --> "Statistical signal only"
quadrant-1 Weak provenance
quadrant-2 Strong provenance
quadrant-3 Robust detection
quadrant-4 Fragile detection
C2PA manifest: [0.75, 0.2]
Perceptual watermark (SynthID): [0.2, 0.75]
Cryptographic hash: [0.85, 0.15]
Invisible ink / stego: [0.35, 0.7]
Figure 3. Provenance mechanism coverage across two axes: how well the signal survives re-encoding, and whether the signal is identity-linked vs. statistical. C2PA manifests are strongly identity-linked but fragile to stripping; perceptual watermarks survive more transforms but carry no identity binding. The robust approach uses both.
Integration and day-to-day pipeline instrumentation
For a team building a new generative pipeline, the minimum viable provenance setup has four artifacts stored alongside each generated output:
- The SHA-256 hash of each input asset (file or URL, as applicable).
- The model identifier and version tag at inference time.
- An operator-level attestation of consent status (a reference to a consent record, or an explicit “no consent signal available: operator attestation pending” flag).
- The signed C2PA manifest embedded in or linked to the output file.
Object storage with immutable versioning handles the audit trail for items 1-3. AWS S3 Object Lock (WORM mode) and GCS bucket lock both provide write-once guarantees that prevent silent post-hoc alteration of the record. The C2PA manifest (item 4) is embedded or sidecarred at generation time.
For teams building on top of API providers (OpenAI image generation, ElevenLabs for voice, Stability AI for images), the model will not sign a C2PA manifest on your behalf. The minimum viable approach is to log every request and response with the relevant input hashes to a write-once store, then treat your application layer as the signing party. You are attesting “this API call, with these inputs, at this time, produced this output,” which is less rich than a manifest signed by the model operator, but it is the provenance record you can actually produce with current tooling.
Running periodic checks against takedown registries and consent revocation records is an operational process, not just a one-time setup. The pipeline design should make that check queryable: “given this output hash, what consent records apply to its inputs, and have any been revoked?”
Related work and positioning
C2PA and the Coalition for Content Provenance and Authenticity are the central standard here. The specification is openly published, the reference implementation is open source (c2pa-rs on GitHub), and adoption includes Adobe Photoshop and Firefly, Microsoft Bing Image Creator, and several video generation platforms as of early 2026. The CAI (Content Authenticity Initiative), Adobe’s industry advocacy arm for C2PA adoption, maintains a browser plugin and web app for inspecting Content Credentials on any asset.
SynthID (Google DeepMind) and Stable Signature (Meta Research) are the leading perceptual watermarking approaches. SynthID is available for text watermarking via the Gemini API and for image and audio generation through Google Cloud services. Stable Signature is a research release that modifies a diffusion model’s fine-tuning so that outputs carry a detectable watermark without visible degradation.
IPTC digital source type vocabulary provides the taxonomy for labeling how content was produced, and it is directly referenced in C2PA assertions. The digitalsourcetype values distinguish original photos, composite images, trained algorithmic media, and other provenance categories in a way that downstream platforms can act on.
Model cards (Hugging Face / Google Brain convention) address the training-data provenance question at the model level rather than the output level. A well-maintained model card records dataset composition, data collection practices, and known limitations. This does not replace output-level provenance but it is the right place to document consent decisions made during training.
The EU AI Act (entering force in phases from 2024) includes transparency requirements for AI-generated content, including a requirement that synthetic audio, image, and video content be labeled in a machine-readable format. C2PA’s digitalSourceType and trainedAlgorithmicMedia assertion are designed to satisfy exactly this kind of requirement, though the implementing technical standards were still being finalized as of early 2026.
Where it breaks
Re-encoding at distribution. Most social platforms transcode uploaded video and re-compress uploaded images. That process strips C2PA manifests unless the platform has explicitly integrated the C2PA SDK into its media processing pipeline. As of early 2026, very few have. This means that for content distributed primarily through social channels, the manifest survives only until the first re-encode. CAI’s content credential cloud service (anchor-by-hash) partially addresses this, but only for assets registered before distribution.
Certificate expiry and revocation. A C2PA signature is only as good as the certificate chain backing it. Certificates expire; certificate authorities can be compromised. A manifest signed today with an unexpired certificate may be unverifiable in three years if the CA is not trusted or the timestamp service record is unavailable. Long-lived archival use cases need a timestamp authority that is itself archived, not just linked.
Watermark removal attacks. Perceptual watermarks are robust to incidental degradation (resizing, JPEG compression, mild noise), but they are not robust to adversarial removal attacks. An adversary who knows the watermark scheme can apply targeted perturbations that destroy the watermark while preserving visual quality. Research on watermark robustness is active; no current scheme is adversarially secure in the general case.
No cross-platform consent registry. There is no global consent database. A consent record stored in one platform’s system is invisible to another platform’s compliance check. A creator who opted out of AI training on one platform has no mechanism to propagate that signal to crawlers or other datasets. C2PA’s training-mining assertion helps for future content, but the installed base of uncredentialed content on the web remains large.
Low-latency pipelines. Signing a C2PA manifest involves cryptographic operations and, if using a timestamp authority, a network round trip. For real-time or near-real-time generation pipelines (live video synthesis, interactive voice generation), this latency may be unacceptable. The practical options are async signing (generate now, sign and store the manifest asynchronously, accept a brief window of unsigned output) or pre-signing at a model session level rather than per-output.
Training data retroactivity. The biggest gap that C2PA and consent frameworks do not address is the existing body of models already trained on data for which no consent was tracked. C2PA governs new outputs; it says nothing about what the model learned or from what. This is a policy and legal question more than an engineering one, but it is the objection that practitioners building on foundation models will face, and the honest answer is that output-level provenance does not cure training-data provenance gaps.
Further reading
The C2PA specification [1] is the authoritative source on manifest structure, assertion types, and signing requirements. The c2pa-rs reference implementation [2] is the starting point for any Rust or Python integration. Adobe’s Content Authenticity Initiative [3] provides a browser plugin for inspecting credentials and a developer portal for integrating the SDK. The IPTC digital source type vocabulary [4] defines the taxonomy used in digitalSourceType assertions. The Hugging Face model cards paper [5] covers model-level provenance documentation. Google DeepMind’s SynthID technical overview [6] describes the watermarking approach for images and audio. The EU AI Act text [7] covers the transparency requirements for synthetic media, and the NO FAKES Act draft [8] covers the US consent framework for digital replicas. For a technical survey of watermarking robustness, see the Fernandez et al. paper on Stable Signature [9]. The CAI content credentials cloud service documentation [10] describes the anchor-by-hash approach for post-distribution recovery.
Written with AI assistance, editorially reviewed.
References
[1] Coalition for Content Provenance and Authenticity, “C2PA Technical Specification.” https://c2pa.org/specifications/specifications/1.4/specs/C2PA_Specification.html
[2] C2PA, “c2pa-rs: Rust SDK for C2PA.” https://github.com/contentauth/c2pa-rs
[3] Adobe Content Authenticity Initiative, “Developer Portal.” https://contentauthenticity.org/
[4] IPTC, “Digital Source Type NewsCodes.” https://cv.iptc.org/newscodes/digitalsourcetype/
[5] Mitchell M. et al., “Model Cards for Model Reporting.” ACM FAccT 2019. https://arxiv.org/abs/1810.03993
[6] Google DeepMind, “SynthID: Identifying AI-generated content.” https://deepmind.google/technologies/synthid/
[7] European Parliament and Council, “Regulation (EU) 2024/1689 - AI Act.” https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:32024R1689
[8] US Senate, “NO FAKES Act of 2024 (draft).” https://www.congress.gov/bill/118th-congress/senate-bill/4875
[9] Fernandez P. et al., “The Stable Signature: Rooting Watermarks in Latent Diffusion Models.” ICCV 2023. https://arxiv.org/abs/2303.15435
[10] Content Authenticity Initiative, “Content Credentials Cloud.” https://contentcredentials.org/verify