Content Credentials
A cryptographically signed provenance record that travels with a piece of media to say how, when, and by whom it was created or modified, including whether AI was involved.
What It Is
Content Credentials is the operating name for a content-provenance standard maintained by the Coalition for Content Provenance and Authenticity, known as C2PA. It attaches a cryptographically signed manifest to a piece of media, whether image, video, audio, document, or generated text, that describes how the content was created, what tools touched it, what AI models were involved, and what edits were applied along the way. The standard is voluntary at the technical level but legally compelled in places like the European Union’s AI Act, which will require deepfakes and AI-generated text on matters of public interest to carry transparency markers from August 2, 2026 onward. Apple, Microsoft, Adobe, Sony, OpenAI, and the BBC all sit on the steering committee, and Adobe ships Content Credentials directly inside Photoshop’s export menu today.
For a reader, Content Credentials shows up as a small “CR” chip in the corner of an image or a metadata panel on a video player. The chip is hoverable, clickable, and connected to a publicly verifiable signature so anyone can check that the manifest has not been tampered with since the file was signed. The promise is not that AI content goes away. The promise is that AI content can be identified at a glance, the way a copyright watermark is identified today.
How It Actually Works
The mechanism is a signed JSON manifest attached to or embedded inside the media file. Each editing step that supports Content Credentials writes a new claim into the manifest with a timestamp, a software identifier, and a description. The claims are chained, so the final file carries the full history of what was created from scratch, what was modified, and what was generated by an large-language-model or image model. A verifier checks the cryptographic signature against the original signer’s certificate to confirm authenticity.
The manifest survives most lossy transformations but can be stripped intentionally. The standard’s answer to stripping is its weakest point: there is no global enforcement mechanism, only a community of platforms that agree to honor and display Credentials when they appear. The bet is that the major distribution surfaces, meaning social platforms, app stores, and news publishers, will eventually treat the absence of Credentials as a signal in itself.
Why It Matters Right Now
The EU’s Code of Practice on marking and labeling AI-generated content, published June 10, 2026, gives Content Credentials its first compliance moment in a major regulatory regime. The Code is voluntary, but signing it is how a provider demonstrates compliance with the AI Act’s transparency obligations that start applying August 2. The major US frontier-model labs have all indicated they will sign. Practically, that means the next six months are when Content Credentials moves from a niche Adobe feature into the export pipeline of every consumer image, video, and text generator that wants to operate inside the EU.
For an operator building a product that includes any AI-generated output, whether a marketing image, a podcast clip, or a customer email, the question is no longer whether to attach provenance, but how soon to make it default.
How TWO Uses It
The TWO position is that Content Credentials is the most under-discussed shift in the consumer AI stack right now, because it is infrastructure, not a model, so it does not get covered as breathlessly as a benchmark release. The editorial decision here is that any product TWO either reviews or ships should disclose its provenance posture on the page: which generators were used, whether Credentials are attached, and what survives republication on social platforms. The dictionary entries on TWO are not AI-generated. The digest hero images are AI-generated and ship with a default Credentials chip on every export. That is the kind of operator hygiene the rest of the industry will adopt over the next year because the regulatory floor is rising.
For a non-technical operator, the practical question to ask a vendor this week is whether the tool ships Content Credentials by default, and what the strip rate is when the file is posted to Instagram, LinkedIn, or X. The answer tells you whether the provenance survives where your customers actually see the content. If the strip rate is high, you are paying for a compliance posture you do not actually have.
A Concrete Operator Scenario
You run marketing for a mid-market SaaS company. Your designer used a generative model to produce three social tiles for next week’s product launch. Before the EU Code, the disclosure question was an internal ethics conversation. After the Code, it is a compliance conversation: when those tiles run as paid promotion in any EU country, the labeling requirement applies. The cheapest fix is to switch the export setting on the design tool to attach Content Credentials and ship the tiles with a visible “Made with AI” chip. The expensive fix is to discover six months later that an EU regulator served notice and the campaign has to be pulled. The decision is operator-grade: a checkbox in the export dialog versus a six-figure recovery cost. Most marketing teams have not yet had this conversation. The teams that have it this quarter are buying themselves a quieter 2027.