The C2PA Standard
The Coalition for Content Provenance and Authenticity defines how cryptographic provenance is embedded in digital content. Over 200 member organizations. C2PA 2.3 published January 8, 2026.
Encypher authored Section A.7 of the C2PA 2.3 specification, which defines text provenance - the framework for embedding and verifying provenance in articles, posts, and unstructured text.
What Is C2PA?
The Coalition for Content Provenance and Authenticity (C2PA) is a standards body that publishes open technical specifications for digital content provenance. It is not a product, not a platform, and not a certification body. It defines how content provenance manifests are structured, embedded, and verified.
C2PA operates under the Joint Development Foundation, an affiliate of the Linux Foundation. The specification is free to implement. Governance is community-driven, with working groups for specific media types and use cases.
The major members include Adobe (who operates the Content Authenticity Initiative), Microsoft, Google, BBC, Reuters, OpenAI, Qualcomm, Intel, Arm, NVIDIA, Sony, and Truepic. Encypher is a member and co-chairs the Text Provenance Task Force.
C2PA History and Versions
How C2PA Manifests Work
A C2PA manifest contains four main components. You do not need to understand the technical details to use C2PA - the Encypher API handles all of this automatically - but understanding the structure helps in evaluating the standard.
JUMBF Container
For images and media files, the manifest is stored in a JUMBF (JPEG Universal Metadata Box Format) container embedded in the file's binary. JUMBF is a standardized format for metadata boxes that supports nesting - a manifest can contain multiple claims, each with its own signature. The container is part of the file but ignored by applications that do not implement C2PA.
Claim Structure
A claim is the core data unit in a C2PA manifest. It records: who created or modified the content (the assertion), what actions were taken (the actions list, such as "created," "edited," "transcoded"), the content hash at signing time, and any ingredients (source files used to produce this file, with their own manifests). Claims are structured as CBOR (Concise Binary Object Representation) for compact encoding.
COSE Signature
COSE (CBOR Object Signing and Encryption) is the signing standard used for C2PA claims. It is the same cryptographic foundation as JOSE (JSON Object Signing and Encryption) but uses CBOR encoding for compactness. The COSE signature covers the claim hash. If the claim is altered after signing, the signature verification fails. The signer's public key certificate is included in the manifest for independent verification.
Certificate Chain
The manifest includes the signer's X.509 certificate chain, which allows any verifier to validate the signature without a central registry. Publishers use their own certificates (BYOK - bring your own key) or Encypher-managed certificates depending on their compliance requirements. The chain anchors to a trusted root certificate authority, the same infrastructure used for TLS and code signing.
C2PA for Text: Section A.7
Standards Authority
Encypher authored Section A.7 of the C2PA 2.3 specification. Erik Svilich co-chairs the C2PA Text Provenance Task Force. This is the definitive standard for embedding provenance in unstructured text content.
Text presents unique challenges for content provenance. Unlike image or video files, plain text has no binary container to embed a JUMBF manifest. Section A.7 defines three encoding approaches:
Invisible Text Encoding
Encypher's text provenance technology embeds C2PA manifest data invisibly within text content. The encoding is undetectable to readers and survives copy-paste across digital platforms. This is Encypher's primary text encoding method.
Sidecar Manifest
A separate manifest file accompanying the text content. Useful for content management systems where modifying the text itself is not appropriate. The manifest references the text content by hash.
Remote Reference
The text includes a reference (URL or cryptographic identifier) to a manifest stored externally. Provides a path for very long documents where inline embedding would be impractical.
C2PA authenticates text at the document level. Sentence-level Merkle tree attribution - which identifies exactly which sentences were used or modified - is Encypher's proprietary technology, built on top of the C2PA framework.
Read Section A.7 in the C2PA SpecificationC2PA vs. Other Approaches
C2PA vs. SynthID (Google DeepMind)
SynthID is a statistical watermarking system that embeds imperceptible patterns in AI-generated images and audio. It identifies AI-generated content by detecting these patterns - a probabilistic approach. C2PA is cryptographic: verification succeeds or fails with certainty. SynthID cannot prove who created content or when; C2PA can. SynthID is fragile under aggressive compression; C2PA manifests are stored in a dedicated container. SynthID is proprietary to Google; C2PA is open.
C2PA vs. Blockchain Provenance
Blockchain systems record content hashes on a distributed ledger. The provenance record lives on the chain, not in the content. When content is copied or redistributed without the chain reference, provenance is lost. C2PA manifests are embedded in the file and travel with it. Blockchain also introduces transaction costs and latency; C2PA verification is free and offline. See the full comparison.
C2PA vs. Fingerprinting
Perceptual hashing (pHash) and content fingerprinting identify content by its visual or acoustic characteristics. These are lookup systems: you compare a fingerprint against a database to find a match. C2PA is a signing system: the manifest contains all necessary verification data. Fingerprinting requires a populated database and cannot prove creation date or rights terms. C2PA is self-contained.
C2PA vs. AI Detection
AI detection tools classify content as human-written or AI-generated using machine learning models. They produce probabilities, not proof. False positive rates are significant - human-written content is frequently misclassified, with serious consequences in academic and professional contexts. C2PA does not detect; it proves. A C2PA manifest on AI-generated content proves it was AI-generated. A C2PA manifest on human-authored content proves that too.
Who Implements C2PA
C2PA adoption spans hardware manufacturers, software platforms, AI companies, and news organizations.
Camera Manufacturers
Leica, Nikon, Sony - embedding C2PA manifests at capture for photojournalism authenticity.
AI Image Generators
Adobe Firefly, DALL-E (OpenAI), Midjourney - marking AI-generated images with C2PA digital source type fields.
Social Platforms
LinkedIn, TikTok - displaying Content Credentials badges on supported content.
News Organizations
BBC, Reuters, Associated Press - signing news photography for distribution authenticity.
Tech Platforms
Adobe (Photoshop, Lightroom, Premiere), Microsoft (Bing Image Creator, Designer).
Text Provenance
Encypher - Section A.7 authors, co-chairs of the Text Provenance Task Force. The only commercial implementation of C2PA text provenance.
C2PA and Regulation
EU AI Act
Article 52(1) of the EU AI Act requires providers of AI systems that generate images, audio, and video to ensure outputs are marked as AI-generated in a machine-readable format. Article 50 (effective August 2024) covers general-purpose AI systems used in consumer-facing applications. The August 2, 2026 deadline triggers fines for non-compliance.
C2PA manifests with the appropriate digital source type field satisfy the machine-readable marking requirement. The EU AI Act does not mandate C2PA specifically, but C2PA is the dominant open standard aligned with the requirement. Confirm with your legal counsel that your specific implementation satisfies the obligations in your jurisdiction.
US Copyright Law
US copyright law distinguishes between innocent infringement (where the infringer had no notice of the copyright) and willful infringement (where notice existed). C2PA manifests with embedded rights terms constitute formal notice to any party who encounters the content. This distinction matters for statutory damages: up to $30,000 per work for innocent infringement, up to $150,000 per work for willful infringement. C2PA does not create a legal right - that is governed by copyright law - but it does establish the notice that converts one damage category to the other.
Potential US Framework
Multiple pieces of US legislation have referenced C2PA or similar standards as a basis for AI content marking requirements. The DEFIANCE Act (2024) and proposed NO FAKES Act both address synthetic media. While no US federal AI marking mandate exists as of March 2026, several states have enacted requirements for AI-generated political content, most referencing machine-readable marking standards.
Implementing C2PA with Encypher
Encypher provides the only commercial API that implements C2PA across all 31 supported MIME types, including the Section A.7 text provenance specification. Three lines of code sign a document.
Related Topics
What Is Content Provenance?
The definitive guide to content provenance: why it matters, how it works, and how it applies across 31 media types.
Cryptographic Watermarking
How deterministic proof of origin is embedded in content and why it is fundamentally different from statistical watermarking.
C2PA Terminology
Definitions for JUMBF, COSE, claim structure, ingredient chain, digital source type, and other C2PA terms.
C2PA and EU AI Act
How C2PA satisfies Article 52 machine-readable marking requirements before the August 2, 2026 deadline.
Conformance Explorer
Browse all products that have passed C2PA conformance testing. Search by company, product type, or media format.
Frequently Asked Questions About C2PA
What does C2PA stand for?
C2PA stands for Coalition for Content Provenance and Authenticity. It is the standards body - not a product or platform - that defines how content provenance manifests are structured, embedded, and verified. The coalition has over 200 member organizations.
Who founded C2PA?
C2PA was founded in 2021 by Adobe, Arm, Intel, Microsoft, Qualcomm, and Twitter (now X). The Content Authenticity Initiative (CAI), operated by Adobe, provides a public-facing interface and verification tools. The two organizations work in parallel: CAI raises awareness, C2PA defines the standard.
What is a C2PA manifest?
A C2PA manifest is a structured record embedded in a content file that contains: who created the content, when it was created, what tools were used, any edits or transformations made, and a cryptographic signature proving the record has not been altered. For images and video, the manifest is stored in a JUMBF container. For text, it is embedded using a protocol defined in Section A.7.
What is Section A.7 of the C2PA specification?
Section A.7 of the C2PA 2.3 specification defines how provenance manifests are embedded into unstructured text - articles, social posts, and any text-based content. It defines encoding methods, integrity verification, and the claim structure for text content. Encypher authored this section. The specification was published on January 8, 2026.
Is C2PA free to implement?
Yes. The C2PA specification is free to read and implement. Open-source verification libraries are available in multiple languages. The standard is governed as a community specification under the Joint Development Foundation.
Does C2PA work across the internet?
C2PA manifests are embedded in content files and travel with the content. Any party with the signed content and access to the publisher's public key can verify provenance independently, without network access to a central registry. The certificate chain within the manifest provides the verification path.
What is the difference between C2PA and the Content Authenticity Initiative (CAI)?
C2PA is the technical standards organization that publishes the specification. The Content Authenticity Initiative (CAI), run by Adobe, is a broader coalition that promotes adoption and provides consumer-facing tools like the Content Credentials browser plugin. CAI implements C2PA; it does not replace it.
How does C2PA handle AI-generated content?
C2PA defines a "digital source type" field in the claim that identifies how content was produced. AI-generated content is marked with c2pa.digitalSourceType of trainedAlgorithmicMedia or compositeWithTrainedAlgorithmicMedia. This machine-readable flag satisfies EU AI Act Article 52 marking requirements for AI-generated images, audio, and video.
Implement C2PA Today
The only commercial API that covers all 31 C2PA MIME types, including Section A.7 text provenance. Free tier available.