Skip to content
c2pa-inspector

c2pa · content credentials · pure go · webassembly

Verify Content Credentials, without uploading anything.

Full cryptographic C2PA validation — COSE signature, certificate chain, hash bindings (including BMFF for HEIC and MP4), RFC 3161 timestamp — compiled from pure Go to WebAssembly and running entirely in this page. Your file never leaves the browser.

Both samples are c2pa-rs test fixtures — signed with test certificates, so you can watch the trust check fail honestly while the signatures and hashes pass.

c2pa validate
$ c2pa validate <drop an image or video here>
# JPEG · PNG · HEIC · AVIF · MP4 · MOV
# nothing is uploaded — validation runs in-page

what it checks

The whole C2PA validation algorithm, client-side.

COSE signature

Verifies the COSE_Sign1 over the claim — ES256/384/512, PS256/384/512, and EdDSA.

Certificate chain

Chains the signer to the official C2PA trust list and enforces the certificate profile — EKU, key usage, no weak algorithms.

Hash bindings

Recomputes the hard-binding content hash — c2pa.hash.data for JPEG/PNG, c2pa.hash.bmff.v2/.v3 for HEIC and MP4 — and every assertion's hashed_uri, so edits after signing show up.

RFC 3161 timestamp

Full CMS verification of the timestamp token, the TSA chain, and that it covers this signature.

Ingredients

Recursively validates nested manifests from earlier edits, with cycle detection.

Private by construction

The validator is WebAssembly running in your tab. No upload, no server, no analytics on your images.

the library

Powered by a pure-Go C2PA implementation.

This page is a thin WASM wrapper around richardwooding/c2pa — a small, no-cgo Go library with a fast unverified reader and a full validator. The same code that runs here runs server-side in file-search-on and the c2pa-mcp MCP server.

go go get github.com/richardwooding/c2pa
// the entire integration
r := c2pa.Validate(ctx, c2pa.JPEG, file)
if r.Valid {
    fmt.Println("verified, signed at", r.SignedAt)
}