How to Check Content Credentials (C2PA) and Verify a Photo

Quick answer: Content Credentials (built on the open C2PA standard) are a tamper-evident "nutrition label" cryptographically attached to an image that records who made it, what tools touched it, and whether AI was involved. To check them, open a Content Credentials verifier (contentcredentials.org/verify or the Adobe inspect tool), drop the image, and read the manifest. Note: C2PA only exists if the creating tool added it, and it can be stripped, so absence is not proof. Cross-check with EXIF and forensics.

In 2026, "is this photo real or AI?" is a question almost everyone asks at some point, and Content Credentials are the most reliable answer the industry has agreed on so far. This guide explains what they are, how to check them in under a minute, what the manifest actually shows you, and the important limits that keep them from being a magic lie detector.

What C2PA and Content Credentials are, and who uses them

C2PA stands for the Coalition for Content Provenance and Authenticity, a standards group whose members include Adobe, Microsoft, Google, OpenAI, Intel, and the BBC. Content Credentials is the consumer-facing name for the same thing: a small, cryptographically signed block of provenance data attached to a media file.

Think of it as a tamper-evident seal. When a tool that supports the standard creates or edits an image, it writes a signed manifest into the file. The signature means that if someone changes the pixels or the manifest afterward, the verifier can tell the seal was broken. The manifest records a chain: where the file came from, what software touched it, and whether AI was part of the process.

Who actually adds Content Credentials today:

• Adobe apps (Photoshop, Lightroom, Firefly) can attach them on export.
• Cameras from Leica, Sony, and Nikon can sign images at the moment of capture on certain pro models.
• AI generators including OpenAI (DALL-E and images from ChatGPT), Google (Gemini and Imagen), and Adobe Firefly embed Content Credentials marking the image as AI-generated.
• Microsoft tags AI images produced in its products.

So a growing share of both real camera photos and AI images now carry this label, which is exactly what makes checking it worthwhile.

How to check Content Credentials step by step

1. Open a verifier. The official one is contentcredentials.org/verify. Adobe also runs an inspect tool. Both run the same kind of check.
2. Drop the image in. Drag the file onto the page, upload it, or paste an image URL. The verifier reads the manifest locally and validates the signature.
3. Read the result. If a valid manifest is present, you will see the issuer, the date, the tools used, and any AI-generation flag. If the file has no manifest, the verifier simply says no Content Credentials were found.
4. Cross-check. Treat the manifest as one input, not the verdict. Open the same file in our EXIF viewer and Photo Forensics tool to compare.

Some platforms now show a small "Cr" icon on images that carry credentials; clicking it opens the same verifier view.

What the manifest shows

A complete Content Credentials manifest can tell you a surprising amount:

• Capture: the device or app that originated the image, and sometimes a capture timestamp signed by the camera itself.
• Edits: each tool that modified the file, in order. You might see "opened in Photoshop, used generative fill, exported." That edit history is the most useful part for spotting manipulation.
• AI generation: a clear flag when an image was created or substantially altered by an AI model, including which model or product produced it.
• Issuer: who signed the manifest, so you know whether to trust the source.

If the signature is intact, you can trust that the recorded history has not been altered since it was signed. That is the core promise: not "this image is true," but "this is a verifiable record of what happened to this file."

The limits (read this part)

Content Credentials are powerful but not absolute, and overtrusting them is its own mistake:

• They are optional. A file only carries credentials if the creating tool added them. Plenty of real photos and plenty of AI images have none at all.
• They can be stripped. Screenshotting an image, re-saving it, or uploading it to a platform that re-encodes files (the same way many platforms strip EXIF) can remove the manifest. See which social media platforms strip EXIF data and why Instagram strips EXIF data; the same re-encoding that drops EXIF often drops C2PA too.
• Absence is not proof. No credentials does not mean "real" and does not mean "fake." It just means the label is not there.
• A broken signature is a signal. If the verifier reports the manifest does not match the pixels, the file was altered after signing. That is a meaningful red flag worth investigating.

There is also a regulatory tailwind worth knowing about. The EU AI Act requires that AI-generated and AI-manipulated content be marked in a machine-readable way, and C2PA is one of the leading standards being adopted to meet that requirement. That is a major reason adoption is accelerating in 2026, though it does not yet mean every AI image you meet will be labeled.

How it complements EXIF and forensics

Content Credentials answer "what is this file's signed history?" EXIF and forensics answer "what does the file itself reveal, label or no label?" You want all three.

• EXIF holds the camera's own record: capture date, GPS, camera model, exposure. Drop any photo into the EXIF viewer to read it. When C2PA is missing, EXIF is often the next-best provenance trail.
• Forensics looks at the pixels directly: compression patterns, error level analysis, and inconsistencies that survive even when all metadata is gone. Our Photo Forensics tool and the guides on how to detect AI-generated images and how to tell if a photo has been edited cover this.

Use Content Credentials first when they exist, because a valid signature is strong evidence. When they are absent or stripped, fall back to EXIF and forensic analysis. No single check is definitive, but together they give you a confident, defensible read on a photo's authenticity.

Bottom line

Content Credentials (C2PA) are a tamper-evident provenance label that says who made an image, what edited it, and whether AI was involved. Check them at contentcredentials.org/verify or Adobe's inspect tool by dropping the file in and reading the manifest. Remember the label is optional and strippable, so absence is not proof. Confirm everything with the EXIF viewer and Photo Forensics tool.