Skip to content

ABOUT

Content provenance, served as one HTTP API.

Hashproof is C2PA provenance infrastructure. We sign, resolve, and verify content provenance for the platforms that need it most: newsrooms publishing in adversarial conditions, stock libraries licensing AI-augmented work, and AI platforms that have to prove what they generated and what they did not.

What we do

Three primitives, exposed as plain HTTP:

  • Sign. Generate a C2PA manifest for any image, video, audio file, or document. Managed ES256 signing with an additive ML-DSA assertion (a labeled simulation on runtimes without ML-DSA support).
  • Resolve. Find a manifest by perceptual hash, even after re-encoding, cropping, or format conversion. Soft binding fills the gap when hard C2PA metadata is stripped.
  • Verify. Validate manifest integrity and trust-list status in one call, one structured response. Merkle inclusion proofs are served by the manifests API.

SDKs for JavaScript and Python wrap the API. A CLI verifies any file in one line. A Chrome extension surfaces provenance on every page you visit.

Why this exists

Generative AI made it cheap to produce media that looks real. The question stopped being “is this image authentic” and became “what can I prove about how it was made.” C2PA answers that question with cryptographic claims attached to the file: who signed it, what tools touched it, and whether the bits you have match the bits the signer attested to.

The standard exists. The implementations are scattered. Most teams that want C2PA today have to assemble a signing pipeline from c2pa-rs, a key management story, a manifest store, and a verification flow. We built the API so they do not have to.

How we approach it

  • Open standards over lock-in. Manifests follow the C2PA 2.x data model, and every record is retrievable through the API. Federation lets one registrar cascade lookups to its peers.
  • Cryptography you can audit. We use ES256 from the algorithms specified by C2PA, with additive assertions from the NIST PQC selections (ML-DSA / Dilithium). The math is published. The choices are documented in Security.
  • Auditable storage. Merkle batch inclusion proofs mean a batched manifest has a recorded integrity record, checkable against its batch root through the API.
  • Documented over polished. We publish sub-processors, data flow, and incident history. We do not display certification badges we have not earned.

Where it is going

  • Federation. Any organization should be able to run its own Hashproof registry and answer queries through a shared protocol. The spec lives on attestry.org.
  • EU AI Act compliance. Article 50 takes effect in August 2026. AI-generated content has to be disclosed, and providers have to keep records that prove disclosure happened. Hashproof issues those records as signed manifests.
  • Soft binding at platform scale. Re-encoding, cropping, and re-uploading strip C2PA metadata. We are pushing perceptual-hash resolution further so manifests survive the transformations that real-world distribution applies.

Try the API

Free tier, no card. Sign your first manifest in under five minutes.