What Is C2PA? The Complete Guide to Content Provenance and Authenticity

C2PA (Coalition for Content Provenance and Authenticity) is an open technical standard that attaches cryptographically signed metadata to digital files, creating a tamper-evident record of who signed the content, what tools were declared, and whether AI involvement was disclosed. The current specification is version 2.3, published in February 2026.

In practical terms, C2PA creates a “manifest” — a structured data object embedded in or attached to a file — that carries signed provenance assertions for digital media. Creation and edit steps can be logged in that manifest, and subsequent tampering invalidates the signature. What the manifest proves is narrower than many product claims suggest: it shows what the signer declared and what the signature protects, not an independently verified ground truth.

C2PA was developed to solve a problem that worsens every year: as AI makes it trivially easy to generate realistic content, there is no reliable way to distinguish human-created media from synthetic output. The standard doesn’t attempt to detect AI content after the fact. Instead, it documents signed provenance assertions at the source so authenticity questions can be answered with machine-readable evidence rather than guesswork. It is the machine-readable layer of a copyright provenance chain.

The standard is maintained by the C2PA organization and governed by a steering committee that includes Adobe, Google, Microsoft, OpenAI, Amazon, Meta, BBC, Sony, and Publicis Groupe.

C2PA operates through three interlocking mechanisms: manifests, assertions, and signatures.

Manifests are the container. A C2PA manifest is a structured data object that holds the complete provenance record for a piece of content. It can be embedded directly in the file (for formats like JPEG, PNG, WAV, MP3, and M4A) or stored as a sidecar file alongside the content (for formats like FLAC and OGG where the specification does not yet support embedding). Each manifest contains one or more assertions and a cryptographic signature.

Assertions are the claims. Each assertion is a specific, structured statement about the content — who created it, what software was used, whether AI was involved, what edits were made, and when each action occurred. The Creator Assertions Working Group (CAWG) maintains the standard assertion vocabulary using the cawg.* label prefix. For AI-assisted works, assertions can specify the IPTC Digital Source Type (e.g., compositeWithTrainedAlgorithmicMedia for works combining human creativity with AI-generated elements), the AI model used, and the nature of human contributions.

Signatures are the seal. Every manifest is cryptographically signed using a certificate that identifies the signing entity. This means any modification to the file or its metadata after signing will invalidate the signature — creating a tamper-evident record. RightsDocket's export artifacts separately use Ed25519 signatures and RFC 3161 timestamps as part of the provenance package proof stack.

The result is machine-readable provenance evidence that a verifier can inspect. That is useful supporting proof, but it is not the entire review record and it is not a substitute for the broader provenance package.

C2PA adoption has accelerated rapidly since 2024. The coalition now includes representation across every major layer of the content supply chain.

Creation tools: Adobe (Photoshop, Lightroom, Firefly), Microsoft (Bing Image Creator, M365), Google (Pixel cameras), Leica, Nikon, Canon, and Samsung have all implemented or announced C2PA support in their creation tools. Microsoft began adding AI watermarks and C2PA metadata to M365 content in February 2026.

Platforms and distributors: TikTok has labeled over 1.3 billion videos with AI provenance data. YouTube, Meta, and LinkedIn surface Content Credentials to users. Google’s Pixel 10 became the first smartphone to achieve C2PA Conformance Program certification.

AI providers: OpenAI, Google DeepMind (via SynthID), Meta, and Amazon embed C2PA metadata in AI-generated outputs. Google has watermarked over 20 billion images via SynthID.

Media and publishing: BBC, the Associated Press, The New York Times, Reuters, and Publicis Groupe are steering committee members, signaling that editorial and advertising content will increasingly require provenance metadata.

Governments and regulators: The NSA and CISA jointly published guidance recommending Content Credentials for content authentication. The EU AI Act Article 50 mandates machine-readable marking that C2PA satisfies. California’s SB 942 (effective January 2026) and AB 853 (effective January 2027) impose AI transparency requirements that align with C2PA’s architecture.

The adoption trajectory points in one direction: files without provenance metadata will face increasing friction in distribution, licensing, and regulatory compliance.

Not yet as a named standard — but the regulatory framework effectively mandates what C2PA provides.

EU AI Act Article 50 requires that AI-generated or AI-manipulated content be “marked in a machine-readable format” and detectable as such. Enforcement begins August 2, 2026, with penalties of up to 15 million EUR or 3% of global annual turnover. The EU’s draft Code of Practice on AI-Generated Content (published December 2025, final version expected June 2026) explicitly recommends C2PA Content Credentials as the metadata layer, alongside imperceptible watermarking. While the regulation does not mandate C2PA by name, C2PA is the leading open standard used to satisfy those technical requirements at scale.

U.S. Copyright Office requirements do not reference C2PA, but the USCO’s human authorship and AI disclosure mandates create a documentation need that C2PA manifests can support. When registering AI-assisted works, applicants must file a Limitation of Claim that distinguishes human-authored elements from AI-generated elements. The broader evidentiary foundation still comes from contemporaneous documentation and review, not from the manifest alone.

California SB 942 (effective January 2026) requires large AI providers to disclose AI involvement in generated content. California AB 853 (effective January 2027) requires platforms to detect and surface provenance data on uploaded content.

China’s AI content labeling regulations (in force since September 2025) mandate visible and machine-readable marking for AI-generated content.

The pattern across jurisdictions is consistent: regulators are requiring provenance documentation. C2PA is the infrastructure that delivers it.

Creators and compliance teams often encounter three distinct provenance technologies. They are complementary, not competing.

C2PA Content Credentials record the full creation history — tools, edits, contributors, AI involvement — as a cryptographically signed manifest embedded in or alongside the file. They satisfy the EU AI Act metadata marking requirement and are human-readable via inspection tools. However, they do not survive screenshots or social media re-uploads that strip metadata.

Digital watermarking injects an imperceptible pattern into the media signal itself, identifying the content’s origin. Watermarks survive compression, cropping, and screenshots — making them robust against manipulation. However, they require specialized detection tools and carry low legal evidentiary value on their own. Google’s SynthID is the most widely deployed example.

RFC 3161 timestamping provides cryptographic proof that a specific file existed at a specific time, issued by a trusted third-party Time Stamping Authority. Timestamps carry high legal evidentiary value and are admissible in most jurisdictions. However, any file modification changes the hash, so timestamps prove a point in time, not an ongoing chain of custody.

The EU Code of Practice recommends a multi-layered approach: C2PA metadata for structured provenance, watermarking for robustness, and timestamping for legal defensibility. RightsDocket currently provides RFC 3161 timestamping, Ed25519-signed evidence artifacts, and a C2PA-aware signing and verification workflow for supported audio assets.

Music created with AI tools presents a unique provenance challenge. Platforms like Suno and Udio export bare audio files — MP3s or WAVs with zero embedded metadata about the creation process, the AI model used, or the human contributions involved. The provenance gap is total.

This matters for three reasons.

Copyright registration: The U.S. Copyright Office requires a Limitation of Claim for AI-assisted works. Without structured documentation of which elements are human-authored (lyrics, melody, arrangement decisions) and which are AI-generated (production, synthesis, accompaniment), the registration is at risk of examiner correspondence — adding $350+ in fees and months of delay — or rejection.

Distribution access: Deezer reports that 28% of uploaded tracks are now AI-generated, approximately 50,000 per day. Major distributors and PROs (ASCAP, BMI, SOCAN) accept AI-assisted works on an honor system, but provenance requirements are tightening. UMG’s strategic licensing deal with Udio signals the industry is shifting from litigation to licensing — making provenance infrastructure critical for catalog acceptance.

EU AI Act compliance: Audio content created with AI tools falls under Article 50’s transparency requirements. By August 2, 2026, AI-generated audio must carry machine-readable provenance marking. Creators who publish AI-assisted music without C2PA metadata risk non-compliance in every EU market.

RightsDocket’s C2PA-aware workflow is designed to connect bare AI audio exports to a verifiable project record. In the current workflow, MP3, WAV, and M4A are the embedded-target formats, while FLAC and OGG use sidecar handling.

RightsDocket includes a C2PA-aware signing, verification, and compliance-export path for supported audio assets in the current workflow. MP3, WAV, and M4A are the current embedded-target formats. FLAC and OGG use sidecar handling.

When a supported signed asset is present, the C2PA manifest carries standard-conformant provenance facts such as hashes, CAWG assertions, and signer/readback state. The legal and review intelligence does not live in the manifest — it stays in the provenance package.

RightsDocket also generates deterministic claim language from the same structured project record when filing is part of the workflow. That filing context is review logic, not C2PA manifest payload.

Export artifacts use cryptographic hashes, Ed25519 signing, and RFC 3161 trusted timestamps as part of the proof stack, producing structured evidence exports and verification-backed review surfaces.

The result is a single workflow that supports deterministic claim language, legal/client review, and C2PA-backed proof for supported assets without implying that every asset always carries embedded credentials.