What Is C2PA Metadata?

C2PA stands for the Coalition for Content Provenance and Authenticity — a joint effort from Adobe, Microsoft, the BBC, Intel, and others to define a standard way of attaching verifiable provenance information to media files. Content Credentials is the consumer-facing brand built on top of the C2PA technical standard.

"C2PA metadata" is the bundle of structured information a C2PA-aware tool embeds inside an image (or video, or audio) file: who or what created it, which application produced it, whether AI was involved, and a chain of edits that have been applied since.

What's actually in a C2PA manifest?

A C2PA manifest is a structured record stored inside a JUMBF box embedded in the file. A typical manifest can contain:

Claim generator — the tool that produced the manifest (e.g., "Adobe Photoshop 25.x", "Bing Image Creator").
Assertions — facts about the asset: when it was created, on what device, by which user, what edits were applied, whether AI generation or training was involved.
Ingredients — references to source assets that fed into this one (a thumbnail of the original photo before edits, for example).
A signature — a cryptographic signature from a trusted issuer that lets a verifier confirm the manifest hasn't been tampered with.

You don't normally see any of this; it's binary data inside the file. The official Content Credentials Verify tool is the easiest way to inspect a manifest visually.

How is it stored inside an image?

The manifest is wrapped in a JUMBF box (JPEG Universal Metadata Box Format) and then placed inside the image file using format-specific containers:

JPEG — inside APP11 marker segments.
PNG — inside a custom caBX chunk.
WebP — inside RIFF chunks.
HEIF / AVIF / MP4 — inside ISOBMFF boxes.

The manifest does not change pixel data. It rides alongside the image in a metadata container.

Who's producing C2PA metadata today?

You may encounter Content Credentials on images produced by:

Adobe products (Photoshop, Lightroom, Firefly).
Microsoft Bing Image Creator and Microsoft Designer (AI generations are signed by default).
Some camera firmware (Leica M11-P, Sony Alpha series, Nikon Z9).
OpenAI's image-generation outputs (in some configurations).
Newsroom workflows participating in the C2PA initiative.

This list grows over time. The presence (or absence) of a manifest by itself doesn't tell you much about an image; what matters is what the manifest says when you open it.

How to check whether an image has C2PA metadata

Two practical options:

Use the official Content Credentials Verify tool — it parses the manifest, validates the signature, and shows you the assertions in human-readable form. This is the authoritative answer.
Use our lightweight C2PA Checker for a quick browser-side scan. It looks for JUMBF markers and known C2PA label strings; it's not a full validator, but it's fast.

Why someone might want to remove it

Embedded metadata of any kind — EXIF, IPTC, XMP, C2PA — has a long history of leaking more information than people intend. Reasonable reasons to drop metadata before sharing an image online include:

Avoiding leaking a camera's serial number, GPS location, or originating account.
Producing a clean output for a context that doesn't need provenance (a stock photograph used in a presentation, a screenshot for documentation).
Reducing file size for large batches of uploads.

If those describe your situation, our C2PA remover drops the manifest as a side effect of re-encoding to JPG, locally in your browser.

When you should not remove it

Don't remove C2PA metadata in order to:

Misrepresent who created an image, or hide that AI was involved when an audience reasonably expects to know.
Strip credit lines or licensing terms you're not authorized to remove.
Conceal evidence of manipulation in journalism, evidence, or identity-verification contexts.
Evade platform rules that require provenance disclosures for synthetic media.

See our Acceptable Use Policy for the line we draw and our reasoning.