EU AI Act Article 50 enforcement deadline: August 2, 2026 — Is your AI content compliant?
OpenCorpo
Technical3 min read

C2PA explained: What developers need to know

C2PA (Coalition for Content Provenance and Authenticity) is the industry standard for content provenance. Here's what it is, how it works, and why the EU AI Act requires it.

OpenCorpo Team

1 March 2026

C2PA explained: What developers need to know

If you've been reading about EU AI Act compliance, you've probably encountered C2PA. Here's what it is, how it works technically, and what it means for your API integration.

What is C2PA?

C2PA (Coalition for Content Provenance and Authenticity) is an open technical standard developed by a coalition including Adobe, Microsoft, Google, Intel, BBC, and others. It defines how to attach cryptographically signed provenance metadata to media files.

When a piece of content has a C2PA manifest, anyone can verify:

  • Who created or modified the content
  • What tools were used
  • When modifications were made
  • Whether the metadata has been tampered with

How C2PA works technically

A C2PA manifest is a JSON-LD data structure embedded directly into the file (for images: typically as XMP metadata or in a dedicated JUMBF box for JPEG, PNG, HEIC). The manifest contains:

Claims

A claim records one "action" taken on the content — for example, "this image was generated by DALL-E 3 at 14:32:07 UTC on March 1, 2026 by organization Acme Corp."

Assertions

Claims contain assertions — specific statements about the content. For AI-generated content, the critical assertion is c2pa.ai_generated which declares the content was produced by an AI model and records which model.

Signatures

The claim is signed using a private key from a certificate in the C2PA trust hierarchy. Anyone with the corresponding public certificate can verify the signature. If the content is modified after signing, the signature verification fails.

What C2PA alone doesn't cover

C2PA metadata lives in the file's metadata layer. This means:

  • It can be stripped by image editors, social media platforms, or malicious actors
  • Screenshot + re-save removes all C2PA metadata
  • JPEG re-encoding by WhatsApp, Twitter/X, etc. typically removes it

This is why the EU Code of Practice requires two additional layers: watermarking (which survives more transformations than metadata) and fingerprinting/logging (which works even when everything else is stripped).

Implementing C2PA

The C2PA spec is open and implementable. The reference implementation is available in Rust (c2pa-rs). There are also wrappers for Python and Node.js.

However, doing a conformant implementation yourself requires:

  • Setting up a certificate chain
  • Understanding the JUMBF box structure for different image formats
  • Handling the claim/assertion/signature lifecycle
  • Testing against the C2PA conformance suite
OpenCorpo handles all of this. You send an image, we embed a conformant C2PA manifest signed with our certificate (with your organization name, generator, and timestamp recorded), and return the signed file. The manifest passes C2PA conformance verification.

Verifying C2PA content

Anyone can verify C2PA content using:

  • The Content Credentials Verify tool at verify.contentauthenticity.org
  • The c2pa-rs library
  • Our /v1/verify API endpoint

C2PA and the EU AI Act

The EU AI Act Article 50 references "machine-readable marking" without specifying C2PA by name. However, the EU Code of Practice on AI-generated content (the detailed technical guidance) identifies C2PA as the preferred standard for provenance metadata. Using C2PA ensures you're aligned with the direction the regulation is moving.

Questions about C2PA implementation? Email us at hello@opencorpo.com

← Back to Blog