Content Provenance Verification
Free verification for all 31 supported media types. No account required. Verify the provenance of any C2PA-signed content in seconds.
How Verification Works
C2PA verification is a three-step process. Each step is independently verifiable and can be performed with open-source libraries without trusting any third party.
Step 1: Manifest Extraction
The C2PA manifest is extracted from the content. For images, this means locating the JUMBF box in the file container (after the EOI marker for JPEG, in a PNG chunk for PNG, in a uuid box for ISO BMFF formats). For text, this means extracting the manifest data from the embedded Unicode markers. The extracted manifest is a structured CBOR (Concise Binary Object Representation) document containing all claims and assertions.
Step 2: Signature Validation
The COSE (CBOR Object Signing and Encryption) signature in the manifest is validated against the signer's certificate. The certificate chain is verified up to a trusted root. This step confirms that the manifest was genuinely created by the claimed signer and has not been altered since signing. If the certificate has been revoked, that status is checked against the CA's revocation list.
Step 3: Content Hash Comparison
The current content is hashed and compared against the hash recorded in the signed manifest. If they match, the content is unmodified since signing. If they do not match, the content has been altered after the manifest was created. This step is format-specific: for images, the pixel data is hashed; for text, the Unicode character sequence (excluding provenance markers) is hashed; for audio and video, the media data track is hashed.
Verification returns a result for each step. A complete verification result includes the manifest contents (if valid), the signature status (valid, invalid, or untrusted), and the hash comparison result (match or mismatch). A content can have a valid signature but a hash mismatch - this means the manifest is genuine but the content was modified after signing.
Supported Media Types
All 31 types are supported at the verification endpoint. See the media types reference for format-specific embedding details.
Verification API
The public verification endpoint requires no authentication:
# Verify a text document (no auth required)
curl -X POST https://api.encypher.com/v1/verify \
-H "Content-Type: application/json" \
-d '{"text": "Your content here"}'
# Verify an image file (no auth required)
curl -X POST https://api.encypher.com/v1/verify \
-F "file=@image.jpg"
The response includes the manifest contents if verification succeeds:
{
"verified": true,
"signer": {
"name": "Encypher Publishing Corp",
"certificate": "..."
},
"timestamp": "2026-03-15T14:23:00Z",
"hash_match": true,
"assertions": [
{ "label": "c2pa.rights", "value": "bronze" },
{ "label": "c2pa.author", "value": "Jane Smith" }
]
}
Text Verification and Quote Integrity
Text verification extracts provenance from the invisible Unicode markers embedded in the text. The markers encode the C2PA manifest data. Verification strips the markers from the text, reconstructs the manifest, and verifies the signature.
For content signed with Encypher's sentence-level Merkle tree authentication, the verification API supports quote integrity queries: submit a specific sentence and a claimed source document, and verification returns whether that sentence is cryptographically authenticated in the source document.
This is the mechanism behind quote integrity verification for RAG pipelines. An AI system retrieving sentences from a corpus can verify each retrieved sentence against its claimed source before including it in a response. If the sentence has been altered in the corpus - through scraping errors, OCR artifacts, or deliberate modification - verification fails.
Open-Source Verification Libraries
The C2PA verification specification is open. The verification process can be implemented independently of Encypher using open-source libraries:
- c2pa-python: Python library for C2PA manifest reading and verification
- c2pa-js: JavaScript/TypeScript library for browser and Node.js verification
- c2pa-rs: Rust implementation underlying both Python and JS libraries
These libraries verify manifests entirely locally, without any network requests to Encypher or any third party (except optional certificate revocation checks). Enterprise customers who require zero external dependencies for verification can use these libraries within their own infrastructure.
Related Resources
Verify Content Now
Free verification for all 31 media types. No account, no API key, no limit. Upload or paste content and get verification results in under a second.