What is C2PA and why do you need a manifest?
The Coalition for Content Provenance and Authenticity (C2PA) is the open technical standard, adopted as ISO/IEC 22144 in 2025, that defines how to attach a tamper-evident "nutrition label" to digital content. The label is called a manifest. It says who created the asset, what tools were used, whether AI was involved, and whether it has been edited since. Adobe's "Content Credentials" feature is the most visible consumer-facing implementation, but the standard itself is publicly documented and any tool can produce or verify a manifest.
By 2026, three forces are pushing C2PA adoption from "nice to have" to "required": the EU AI Act (Article 50 mandates machine-readable provenance for AI-generated content shown to the public starting August 2026), platform pressure (Meta, TikTok, YouTube, and X all read C2PA manifests when present), and consumer-trust signals (Sony, Nikon, and Canon ship cameras that sign every photo at the moment of capture). If you ship anything that produces images, video, or audio β especially with AI in the loop β you need a manifest in your assets.
What this C2PA manifest generator builds
Paste your asset details into the form on the left. The tool produces a JSON document conforming to the C2PA 2.x manifest schema with the assertions you select. It does not sign the manifest with a certificate β that step still requires a private key, which is something you should never paste into a webpage. Instead, the generated JSON is meant to be fed into a signing tool you control: c2patool (Adobe's open-source CLI), the C2PA Rust SDK, the C2PA JavaScript SDK, or any of the commercial signing services like Truepic, Numbers Protocol, or Verify.Photo.
The generator covers the assertions that 95% of practical use cases need:
- c2pa.actions β declares whether the asset was
created,edited, orcomposited. Includes the C2PAdigitalSourceTypevalues that distinguish a fully-AI-generated image from a human-authored image with AI assistance. - c2pa.training-mining β sets do-not-train flags so AI companies that respect the standard skip your work when scraping for datasets. Mirrors IPTC's "DataMining" rights.
- c2pa.creative-work β author name, identifier, copyright string, all in Schema.org format.
- Ingredients β references parent assets when your output is a derivative work.
- Claim generator β identifies the software that produced the manifest (your app + version).
How a complete C2PA manifest looks
The C2PA spec uses JUMBF (JPEG Universal Metadata Box Format) as the container, but the manifest contents are structured JSON. A minimal valid manifest has four parts: a claim_generator string, a title, an array of assertions, and (after signing) a signature. The output produced here covers the first three. For step four you run, for example, c2patool input.jpg -m manifest.json -o output.jpg with your signing certificate on disk.
EU AI Act and C2PA β what changes August 2026
Article 50 of the EU AI Act, taking effect on 2 August 2026, requires providers of generative AI systems to "ensure that the outputs of the AI system are marked in a machine-readable format and detectable as artificially generated." The Act explicitly cites C2PA-style provenance as a recommended implementation. Deepfakes also require a visible disclosure in addition to the embedded manifest. The fines for non-compliance are up to β¬15M or 3% of global revenue β the second-highest tier in the Act, behind only banned-use violations.
FAQ
Does this tool sign the manifest? No. Signing requires a private key that should never be exposed to a browser. Use c2patool on your own machine for that step.
Will TikTok / Instagram / YouTube actually display these credentials? All three platforms read C2PA manifests when present. Display behavior varies. As of 2026, TikTok shows a "AI-generated" label automatically when the manifest declares trainedAlgorithmicMedia; Meta does the same on Instagram and Facebook; YouTube exposes credentials in the description panel.
Can I claim my image is human-made when it isn't? Technically yes (the manifest is whatever you put in it), but you'd be lying in a signed document β which means the signing certificate can be revoked and the lie is provable. The whole point of the standard is to make this kind of fraud detectable.
Where can I learn the full spec? The C2PA technical specification is published at c2pa.org/specifications. The current version is 2.1 (October 2025). ISO/IEC 22144:2025 is the formal international standard.
What's the difference between C2PA and SynthID? SynthID (Google DeepMind) is an in-pixel watermark β invisible noise that survives screenshots and minor edits. C2PA is a metadata manifest β richer information but stripped if a downstream tool removes EXIF. The two are complementary; major AI providers ship both.
What if I don't have a signing certificate? Adobe's Content Authenticity Initiative offers a free trust list for individual creators. For commercial use, certificates from DigiCert, GlobalSign, or other CAs cost $50β500/year. The C2PA manifest itself is free and open.
Related tools you might need
Adding C2PA to a single asset is rarely the whole compliance picture. A typical AI publishing stack also wants: an AI Disclosure Generator for visible labels, an AI Bill of Materials for documenting which models and datasets were used, an EU AI Act Risk Assessment to confirm which obligations apply, and a Prompt Injection Tester to harden the prompt that drove the generation. We ship all of those at TinyTools.
One-liner integrations
For a Node.js pipeline: npm install c2pa, then read the JSON this tool produces and pass it as the manifestDefinition field. For a Python pipeline: pip install c2pa-python. For a CLI workflow: download c2patool from the C2PA GitHub releases, then run c2patool input.jpg -m manifest.json -s mycert.pem -k mykey.pem -o output.jpg.