Do your images carry C2PA Content Credentials proving where they came from?
Checks whether your images embed a cryptographic provenance manifest that distinguishes them from AI-generated fakes.
What this signal tests
C2PA, the Coalition for Content Provenance and Authenticity, defines a cryptographic manifest that travels inside an image file. The manifest records who created the image, what tools edited it, and is signed by a recognised signer. We download a sample of your public images, parse the embedded JUMBF metadata, and confirm at least one image carries a valid C2PA manifest with a signature chaining to a trusted C2PA signer.
Why it matters for your visibility in AI
C2PA is now the cross-industry standard backed by Adobe, Microsoft, OpenAI, the BBC, Sony, Nikon, Canon, Leica, and most other major content and camera companies. LLMs and image agents read C2PA manifests directly to distinguish AI-generated images from camera-captured or human-created originals. This distinction is fast becoming a baseline expectation for any visual content used in journalism, e-commerce, or any commerce-of-trust context. The consequence of missing C2PA is asymmetric. AI-generated imagery is increasingly being labelled by the generators themselves with C2PA manifests, so unsigned images stand out as either old, untrustworthy, or AI without a label. For publishers, the absence of credentials makes it harder for AI systems to confidently use your imagery, leading to your competitors' signed images being preferred even if yours are higher quality.
Pass criteria at a glance
| Criterion | Passes when |
|---|---|
| At least one public image has cryptographically valid C2PA manifest. |
How we test it
We download a small sample of public images from your site (from your homepage, recent articles, or product pages). For each image, we look for the JUMBF metadata structure inside the file. If we find a c2ma or c2um box, we parse the embedded COSE signature, verify the X.509 certificate chain against the C2PA Trust List, and confirm the content-binding hashes match the image bytes. Any image with a valid manifest is enough for the signal to pass.
Show technical detection method
Download sample images; parse JUMBF; look for c2ma/c2um box; validate COSE signature against X.509; verify content-binding hashes against C2PA Trust List.
If your site fails: how to fix it
- Choose a signing approach. Three common paths: Adobe Content Authenticity (built into Photoshop, Lightroom, and a free Verify tool), Microsoft Content Provenance (in Azure), or the open-source c2patool CLI from c2pa.org. For most teams, Adobe is easiest if you already use Creative Cloud.
- Apply for a C2PA-recognised signing certificate. Most teams use a managed signing service (Adobe, Microsoft) so they do not handle keys directly. For technical teams, c2patool with a Public Key Infrastructure issued by a recognised CA also works.
- Integrate signing into your asset pipeline. For editorial workflows, sign at export from Photoshop or Lightroom. For programmatic pipelines, run c2patool or the SDK as a step before the image is uploaded to your CMS or CDN.
- Confirm your CDN does not strip metadata. Some image-optimisation services (Cloudflare Polish in default mode, Imgix in lossy mode) remove metadata to save bytes. Configure them to preserve C2PA, or sign after optimisation rather than before.
- Verify a sample image at contentcredentials.org/verify or with the c2patool inspect command. If the manifest validates there, AI systems will read it too.
- Re-run the AI Ready Test scan to confirm at least one sampled public image carries a valid manifest.
Quick facts
| Maturity | EMERGING |
|---|---|
| Weight | high |
| Category | Trust & Provenance |
Primary sources
Related signals
Frequently asked questions
Will I need IT help to fix this?
Yes, almost certainly. C2PA touches your asset pipeline, your CMS, and your CDN, and signing requires either a managed service account or PKI infrastructure. Expect involvement from a developer, a creative-tools admin, and possibly your hosting team.
Does signing slow down my site or bloat my images?
Very little. A C2PA manifest typically adds a few kilobytes per image, which is small compared to typical image sizes. There is no runtime performance impact; signing happens once at export time.
What if I do not own the original images and use stock or licensed content?
Increasingly, stock providers (Adobe Stock, Getty) sign their images with C2PA at the point of licensing. If you re-export through your own tools, you can preserve and extend the existing manifest. Always preserve incoming credentials rather than stripping them.
How long until the change takes effect?
Once signing is in your pipeline, every newly uploaded image carries credentials. Older images remain unsigned unless you re-export them. AI systems begin to pick up the signal as soon as they recrawl the newer assets, typically within days.
Run your own scan
Run a free scan and see how your site grades across all 155 AI-readiness signals.