What Is C2PA? The Complete Guide to Content Provenance and Authenticity

C2PA (Coalition for Content Provenance and Authenticity) is an open technical standard that attaches cryptographically signed metadata to digital files, creating a tamper-evident record of who made the content, what tools were used, and whether AI was involved. The current specification is version 2.3, published in February 2026.

In practical terms, C2PA creates a “manifest” — a structured data object embedded in or attached to a file — that functions like a chain-of-custody document for digital media. Every creation action, edit, and export can be logged in the manifest and cryptographically signed so that any subsequent tampering invalidates the signature. When you encounter a file with C2PA metadata, you can verify its entire creation history without trusting the person who sent it to you. The manifest is the proof.

C2PA was developed to solve a problem that worsens every year: as AI makes it trivially easy to generate realistic content, there is no reliable way to distinguish human-created media from synthetic output. The standard doesn’t attempt to detect AI content after the fact. Instead, it documents the creation process at the source — capturing provenance data at the moment of creation so that authenticity questions can be answered definitively, not probabilistically.

The standard is maintained by the C2PA organization and governed by a steering committee that includes Adobe, Google, Microsoft, OpenAI, Amazon, Meta, BBC, Sony, and Publicis Groupe.

C2PA operates through three interlocking mechanisms: manifests, assertions, and signatures.

Manifests are the container. A C2PA manifest is a structured data object that holds the complete provenance record for a piece of content. It can be embedded directly in the file (for formats like JPEG, PNG, WAV, MP3, and M4A) or stored as a sidecar file alongside the content (for formats like FLAC and OGG where the specification does not yet support embedding). Each manifest contains one or more assertions and a cryptographic signature.

Assertions are the claims. Each assertion is a specific, structured statement about the content — who created it, what software was used, whether AI was involved, what edits were made, and when each action occurred. The Creator Assertions Working Group (CAWG) maintains the standard assertion vocabulary using the cawg.* label prefix. For AI-assisted works, assertions can specify the IPTC Digital Source Type (e.g., compositeWithTrainedAlgorithmicMedia for works combining human creativity with AI-generated elements), the AI model used, and the nature of human contributions.

Signatures are the seal. Every manifest is cryptographically signed using a certificate that identifies the signing entity. This means any modification to the file or its metadata after signing will invalidate the signature — creating a tamper-evident record. RightsDocket uses Ed25519 digital signatures and applies RFC 3161 cryptographic timestamps from a trusted third-party Time Stamping Authority to establish both identity and temporal proof.

The result: a file with a C2PA manifest carries its own verifiable biography. Anyone who receives the file can inspect the manifest to see exactly how it was made, without relying on the sender’s word.

C2PA adoption has accelerated rapidly since 2024. The coalition now includes representation across every major layer of the content supply chain.

Creation tools: Adobe (Photoshop, Lightroom, Firefly), Microsoft (Bing Image Creator, M365), Google (Pixel cameras), Leica, Nikon, Canon, and Samsung have all implemented or announced C2PA support in their creation tools. Microsoft began adding AI watermarks and C2PA metadata to M365 content in February 2026.

Platforms and distributors: TikTok has labeled over 1.3 billion videos with AI provenance data. YouTube, Meta, and LinkedIn surface Content Credentials to users. Google’s Pixel 10 became the first smartphone to achieve C2PA Conformance Program certification.

AI providers: OpenAI, Google DeepMind (via SynthID), Meta, and Amazon embed C2PA metadata in AI-generated outputs. Google has watermarked over 20 billion images via SynthID.

Media and publishing: BBC, the Associated Press, The New York Times, Reuters, and Publicis Groupe are steering committee members, signaling that editorial and advertising content will increasingly require provenance metadata.

Governments and regulators: The NSA and CISA jointly published guidance recommending Content Credentials for content authentication. The EU AI Act Article 50 mandates machine-readable marking that C2PA satisfies. California’s SB 942 (effective January 2026) and AB 853 (effective January 2027) impose AI transparency requirements that align with C2PA’s architecture.

The adoption trajectory points in one direction: files without provenance metadata will face increasing friction in distribution, licensing, and regulatory compliance.

Not yet as a named standard — but the regulatory framework effectively mandates what C2PA provides.

EU AI Act Article 50 requires that AI-generated or AI-manipulated content be “marked in a machine-readable format” and detectable as such. Enforcement begins August 2, 2026, with penalties of up to 15 million EUR or 3% of global annual turnover. The EU’s draft Code of Practice on AI-Generated Content (published December 2025, final version expected June 2026) explicitly recommends C2PA Content Credentials as the metadata layer, alongside imperceptible watermarking. While the regulation does not mandate C2PA by name, C2PA is the only open standard that satisfies the technical requirements at scale.

U.S. Copyright Office requirements do not reference C2PA, but the USCO’s human authorship and AI disclosure mandates create a documentation need that C2PA manifests directly address. When registering AI-assisted works, applicants must file a Limitation of Claim that distinguishes human-authored elements from AI-generated elements. A C2PA manifest with properly structured assertions provides the evidentiary foundation for this disclosure.

California SB 942 (effective January 2026) requires large AI providers to disclose AI involvement in generated content. California AB 853 (effective January 2027) requires platforms to detect and surface provenance data on uploaded content.

China’s AI content labeling regulations (in force since September 2025) mandate visible and machine-readable marking for AI-generated content.

The pattern across jurisdictions is consistent: regulators are requiring provenance documentation. C2PA is the infrastructure that delivers it.

Creators and compliance teams often encounter three distinct provenance technologies. They are complementary, not competing.

C2PA Content Credentials record the full creation history — tools, edits, contributors, AI involvement — as a cryptographically signed manifest embedded in or alongside the file. They satisfy the EU AI Act metadata marking requirement and are human-readable via inspection tools. However, they do not survive screenshots or social media re-uploads that strip metadata.

Digital watermarking injects an imperceptible pattern into the media signal itself, identifying the content’s origin. Watermarks survive compression, cropping, and screenshots — making them robust against manipulation. However, they require specialized detection tools and carry low legal evidentiary value on their own. Google’s SynthID is the most widely deployed example.

RFC 3161 timestamping provides cryptographic proof that a specific file existed at a specific time, issued by a trusted third-party Time Stamping Authority. Timestamps carry high legal evidentiary value and are admissible in most jurisdictions. However, any file modification changes the hash, so timestamps prove a point in time, not an ongoing chain of custody.

The EU Code of Practice recommends a multi-layered approach: C2PA metadata for structured provenance, watermarking for robustness, and timestamping for legal defensibility. RightsDocket combines C2PA manifest generation with RFC 3161 timestamping in a single export, providing two of the three layers.

Music created with AI tools presents a unique provenance challenge. Platforms like Suno and Udio export bare audio files — MP3s or WAVs with zero embedded metadata about the creation process, the AI model used, or the human contributions involved. The provenance gap is total.

This matters for three reasons.

Copyright registration: The U.S. Copyright Office requires a Limitation of Claim for AI-assisted works. Without structured documentation of which elements are human-authored (lyrics, melody, arrangement decisions) and which are AI-generated (production, synthesis, accompaniment), the registration is at risk of examiner correspondence — adding $350+ in fees and months of delay — or rejection.

Distribution access: Deezer reports that 28% of uploaded tracks are now AI-generated, approximately 50,000 per day. Major distributors and PROs (ASCAP, BMI, SOCAN) accept AI-assisted works on an honor system, but provenance requirements are tightening. UMG’s strategic licensing deal with Udio signals the industry is shifting from litigation to licensing — making provenance infrastructure critical for catalog acceptance.

EU AI Act compliance: Audio content created with AI tools falls under Article 50’s transparency requirements. By August 2, 2026, AI-generated audio must carry machine-readable provenance marking. Creators who publish AI-assisted music without C2PA metadata risk non-compliance in every EU market.

RightsDocket bridges this gap with a custom com.rightsdocket.audio-provenance C2PA assertion type that binds ISRC and ISWC identifiers into cryptographic envelopes — connecting bare AI audio exports to the music industry’s legacy metadata systems. The platform generates C2PA manifests for MP3, WAV, and M4A files (embedded), with sidecar manifest support for FLAC and OGG.

RightsDocket generates C2PA manifests as part of its provenance record export. The implementation is built on @contentauth/c2pa-node-v2 (the current SDK — the original c2pa-node package is officially deprecated) and follows the C2PA specification version 2.3.

Every provenance record exported from RightsDocket includes a C2PA manifest with structured assertions documenting human contributions, AI tool usage, IPTC Digital Source Type classification (compositeWithTrainedAlgorithmicMedia for mixed human-AI works), and contributor roles — all using the cawg.* assertion label format per current CAWG standards.

The manifest data also generates USCO-ready Limitation of Claim language mapped directly from the C2PA assertions. The same structured data that populates the manifest produces the claim language the Copyright Office requires for eCO filing — eliminating the need to prepare two separate documentation workflows.

Each export includes an RFC 3161 cryptographic timestamp binding the manifest to a trusted third-party Time Stamping Authority certificate, establishing when the provenance record was created, plus an Ed25519 digital signature ensuring the entire provenance record (PDF + JSON export) is tamper-evident.

The result is a single export that satisfies three requirements simultaneously: C2PA content provenance for EU AI Act compliance, USCO claim documentation for copyright registration, and cryptographic evidence for legal defensibility.