c2pa · content credentials · pure go · webassembly
Verify Content Credentials, without uploading anything.
Full cryptographic C2PA validation — COSE signature, certificate chain, hash bindings (including BMFF for HEIC and MP4), RFC 3161 timestamp — compiled from pure Go to WebAssembly and running entirely in this page. Your file never leaves the browser.
Both samples are c2pa-rs test fixtures — signed with test certificates, so you can watch the trust check fail honestly while the signatures and hashes pass.
$ c2pa validate <drop an image or video here> # JPEG · PNG · HEIC · AVIF · MP4 · MOV # nothing is uploaded — validation runs in-page
result
Inspection result.
Claims (as recorded — unverified)
Signer chain (as presented in the manifest)
Validation log
Every C2PA §15 status the validator recorded, in order.
what it checks
The whole C2PA validation algorithm, client-side.
COSE signature
Verifies the COSE_Sign1 over the claim — ES256/384/512, PS256/384/512, and EdDSA.
Certificate chain
Chains the signer to the official C2PA trust list and enforces the certificate profile — EKU, key usage, no weak algorithms.
Hash bindings
Recomputes the hard-binding content hash — c2pa.hash.data for JPEG/PNG, c2pa.hash.bmff.v2/.v3 for HEIC and MP4 — and every assertion's hashed_uri, so edits after signing show up.
RFC 3161 timestamp
Full CMS verification of the timestamp token, the TSA chain, and that it covers this signature.
Ingredients
Recursively validates nested manifests from earlier edits, with cycle detection.
Private by construction
The validator is WebAssembly running in your tab. No upload, no server, no analytics on your images.
the library
Powered by a pure-Go C2PA implementation.
This page is a thin WASM wrapper around richardwooding/c2pa — a small, no-cgo Go library with a fast unverified reader and a full validator. The same code that runs here runs server-side in file-search-on and the c2pa-mcp MCP server.
go get github.com/richardwooding/c2pa
// the entire integration r := c2pa.Validate(ctx, c2pa.JPEG, file) if r.Valid { fmt.Println("verified, signed at", r.SignedAt) }