Content Provenance
on CloudFront
Deploy a Lambda@Edge function that adds invisible provenance markers to every article served through CloudFront. One CloudFormation template. No CMS changes. Free for all publishers.
Deploy in 5 Minutes
One CloudFormation stack creates everything you need. No API key required for the free tier. No code changes to your CMS or origin server.
Opens the AWS CloudFormation console in us-east-1. Requires an AWS account.
Launch the Stack
Click the Deploy button above to open AWS CloudFormation with the Encypher template pre-loaded. Check the IAM acknowledgment box at the bottom of the page, then click Create stack. The stack creates a Lambda@Edge function, IAM execution role, and DynamoDB cache table in us-east-1. Takes about 2 minutes.
Connect Your CloudFront Distribution
When the stack shows CREATE_COMPLETE, open the Outputs tab and copy the FunctionVersionArn. Open your CloudFront distribution, go to the Behaviors tab, edit the default behavior, scroll to Function associations, select Lambda@Edge for Origin request, paste the ARN, and save.
Verify
Wait 2-5 minutes for CloudFront to deploy, then check the response headers on any article page. X-Encypher-Provenance: active confirms the worker is signing content. You can also visit yourdomain.com/.well-known/encypher-verify for a JSON status check.
What the stack creates
- Lambda@Edge function (Node.js 20, 128 MB, 30s timeout) that intercepts HTML responses and embeds provenance markers
- IAM execution role with least-privilege permissions for Lambda, CloudWatch Logs, and DynamoDB
- DynamoDB cache table (pay-per-request) that caches signed content plans so repeat visits to the same article resolve from cache instead of calling the API
These resources run on your AWS account. Typical cost is $1-5/month for most publisher sites, depending on traffic volume. The Encypher signing API is free for up to 1,000 unique articles per month.
Need higher volume, leak detection, or C2PA compliance?
How It Works
Three steps from zero to signed articles on CloudFront. One CloudFormation stack, one distribution trigger.
Launch the Stack
Deploy the Encypher Lambda@Edge function with a single CloudFormation template. The stack creates the Lambda function, IAM role, and DynamoDB cache table. No application code changes required.
Associate with Your Distribution
Attach the Lambda@Edge function to your CloudFront distribution as an origin-request trigger. All HTML responses pass through the function before reaching readers.
Protect Every Article
Every article on your site receives invisible provenance markers at the edge. When that content is copied, scraped, or republished, you can trace it back to its source.
Configure with HTML Meta Tags
Control article detection, declare rights, and assign per-block licenses directly from your HTML. No rebuilds, no API calls, no dashboard configuration required.
Article Selector
Override automatic content detection with a CSS selector that targets your article region.
<meta name="encypher-selector" content=".story-body">
Document-Level Rights
Declare usage terms and license for all content on the page. Embedded in the C2PA manifest.
<meta name="encypher-rights" content="All rights reserved."> <meta name="encypher-license" content="CC-BY-4.0">
Per-Block Rights
Assign different licenses to different content blocks. The worker maps each block to the sentences it contains.
<div data-encypher-rights="(c) 2026 Your Publication"
data-encypher-license="CC-BY-4.0">
<p>Your original reporting.</p>
</div>Rights Cascade
The worker resolves rights in order: block-level attributes on individual elements, then document-level meta tags, then your organization's rights profile in the Encypher dashboard. Block-level and document-level rights coexist: document rights serve as the default for content not covered by a block-level attribute.
Works With Your CMS
The Lambda@Edge function detects and protects article content automatically across every major publishing platform. No per-CMS configuration needed.
WordPress
Self-hosted and WordPress.com
Ghost
All Ghost-powered publications
Squarespace
Blog and article pages
Webflow
Rich text content blocks
Substack
Newsletter and post pages
Hugo / Jekyll
Static site generators
News Wires
AP, Reuters, and wire formats
Custom HTML
Any site with configurable selectors
Free vs. Enterprise
Full content provenance is free for every publisher. Enterprise adds leak detection, C2PA compliance, granular licensing, and unlimited volume.
| Feature | Free | Enterprise |
|---|---|---|
| Content provenance on every article | ||
| Sentence-level content tracking | ||
| Automatic CMS compatibility | ||
| Zero performance impact | ||
| Guaranteed site availability | ||
| Article selector override via meta tags | ||
| Document-level rights and license declarations | ||
| Per-block rights via HTML data attributes | ||
| Monthly article volume | 1,000 articles | Unlimited |
| Leak source identification | - | |
| C2PA manifest compliance | - | |
| Attribution analytics dashboard | - | |
| Dedicated support and named account manager | - |
Built for Publisher Sites
Designed for reliability at CDN scale. No performance impact on your site, no risk to availability.
Works With Every CMS
Automatic content detection across WordPress, Ghost, Squarespace, Webflow, Substack, Hugo, news wires, and custom HTML. No per-CMS configuration needed.
Invisible, Persistent Protection
Provenance markers are invisible to readers. They survive copy-paste into Google Docs, Slack, social media, and AI prompts, so you can trace content wherever it travels.
DynamoDB Edge Caching
Signed content plans are cached in DynamoDB with native TTL. Subsequent requests for the same article resolve from cache with no API round-trip.
Your Site Never Breaks
If anything goes wrong, the function serves your original page unchanged. Provenance is additive. It never degrades your site availability or reader experience.
Protect Every Article on CloudFront
One CloudFormation stack. DynamoDB caching at the edge. Know where your content goes when it is copied, scraped, or ingested by AI.