Content Credentials attach a signed record to your delivered images that shows the image was produced by ImageKit and lists the edits applied to it. The record follows the open C2PA standard and is embedded in the output image itself.
When you turn it on, ImageKit signs the transformed image and records the edits applied during delivery, such as resize, crop, format conversion, filters, overlays, and AI transformations. Anyone can open the image in a C2PA verifier, such as C2PA Viewer, to check who signed it and how it was changed.
Content Credentials signing is a paid add-on and must be enabled on your account before you can use it. If the feature is not enabled, requests that include the c2pa parameter return 403 Forbidden. Contact us at support@imagekit.io to enable it.
Sign images - (c2pa)
Add c2pa-true to your transformation string to sign the output image. If the parameter is absent, the image is delivered without a signed record.
https://ik.imagekit.io/your_imagekit_id/sample.jpg?tr=w-300,h-200,c2pa-true
What gets recorded
The signed record embedded in the output image includes:
- Issuer: The credential is signed by ImageKit, so a verifier can confirm the image was produced by ImageKit.io.
- Applied edits: Each transformation applied during delivery is recorded as a standard C2PA action, such as
c2pa.resized,c2pa.cropped,c2pa.orientation(rotate/flip),c2pa.filtered(blur, grayscale, sharpen, and similar effects),c2pa.transcoded(format conversion),c2pa.placed(image overlays),c2pa.addedText(text overlays), andc2pa.edited. - Source history: If the input image already carries a C2PA record, it is kept as a parent ingredient so the edit history stays intact.
- AI disclosure: If any AI or ML-assisted transformation is applied, the record includes a general AI-disclosure assertion that indicates AI was used.
AI transformations
Some deliveries include an AI or ML-assisted transformation. Examples include AI transformations like background generation, generative edit, background removal, upscaling, and retouching, along with smart cropping such as fo-auto. In these cases, the record tags the affected edits with the appropriate digital source type, so a verifier can tell which parts were AI-generated or AI-modified.
Supported output formats
Signing is supported for the following output formats:
jpg, jpeg, png, webp, avif, heif, heic, tiff, svg, and gif.
Keep the following in mind:
- If you request an explicit output format (using
f) that is not in the list above together withc2pa-true, the request fails with400 Bad Request. - Animated PNG (APNG) output cannot be signed.
Verify a signed image
Download the delivered image and open it in any C2PA verifier, such as C2PA Viewer. The verifier shows the issuer (ImageKit.io), the list of applied edits, and any AI-disclosure information in the record.
The verifier may also show the signer as untrusted or unknown (for example, signingCredential.untrusted). This is expected. ImageKit signs with a certificate from a public certificate authority that is not yet on the C2PA trust list. The signature, edit history, and content hashes are still cryptographically valid. Only the signer's certificate is not recognized by the trust list.