Programmable Media

Content provenance and authenticity (Beta)

Last updated: Dec-11-2024

Important
The content provenance and authenticity feature is currently in Beta. There may be minor changes to parameter names or other implementation details before the general access release. If you would like to try it out, please contact our support team.

Introduction

The Coalition for Content Provenance and Authenticity (C2PA) is a collaboration among tech and media companies to combat online misinformation. It aims to establish standards and tools for verifying the authenticity of digital media, such as images and videos, by capturing and preserving information about their creation and editing. The goal is to prevent the spread of deceptive or manipulated content on the internet.

C2PA defines a specification to accomplish this goal. The tooling used to implement C2PA is provided by the Content Authenticity Initiative (CAI), which consists of various SDKs, a command-line tool, and an underlying Rust library. See the GitHub repo.

You can use this online validation tool to see the history of certifications that have been applied to an image.

On this page:

Scope

C2PA in Cloudinary is currently available only to customers who request it.

It is implemented for images only (specifically, these output formats: avif, heic, heif, jpg, jpeg, png, svg, tif, tiff, and webp).

Cloudinary authenticates and signs assets on delivery upon request by adding the signature in a new manifest on top of any existing manifests. If the previous signature is invalid, Cloudinary also marks the previous manifest as invalid.

Alterations made by Cloudinary are classified as transcoded or edited. The transcoded actions are defined by a closed whitelist and include: c_fit, c_mfit, c_pad, c_lpad, c_mpad, f_*, q_*, and c_scale with a single dimension, w or h.

All other actions are classified as edited.

The metadata attached to each asset contains the certificate, a private key, and a timestamp.

Usage

When delivering images that you want to be signed by Cloudinary, include the c2pa flag, (fl_c2pa in URLs). For example:

For images that are transcoded but not edited, for example c_scale,w_550/fl_c2pa, a validation tool would show something similar to the following (view in validation tool):

Transcoded images Transcoded images

For images that are edited, whether or not they are also transcoded, for example e_cartoonify/fl_c2pa, a validation tool would show something similar to the following (view in validation tool):

Edited images Edited images

Note
You can use the c2patool on an image file to view its manifests in detail.

✔️ Feedback sent!

Rate this page: