Contents
A watermark and provenance checker inspects a file for the machine-readable signals it may carry, a signed C2PA provenance manifest and any detectable watermarks, and reports what it finds; but what it can surface depends on the signal, because a C2PA manifest is openly readable while most watermark payloads stay locked behind the key that embedded them.
The two kinds of signal a reader looks for
A file can carry two very different machine-readable signals, and a good checker looks for both, because a file might carry one, both, or neither. The first is provenance: a C2PA manifest, which is the only cryptographically bound signal a file carries. Under the Content Credentials Technical Specification version 2.4, that manifest holds a signed record of where the file came from and how it was edited, stored in a JUMBF box inside the file itself. The second is a watermark: a pattern hidden in the pixels or samples, such as Google DeepMind’s SynthID for images or AudioSeal for speech. Provenance is metadata cryptographically bound to the file; a watermark is buried in the content. They fail in different ways and they surface differently to a reader, so a checker that looks for only one will miss the other.
What is openly readable
The C2PA manifest is designed to be read. Under the version 2.4 specification it binds a SHA-256 hash of the content to an x509-signed manifest, so a reader can show you the signer, the full edit history, and, crucially, whether that hard binding still holds. If the pixels or samples have changed since signing, the hash no longer matches and the reader reports that the binding is broken, which is itself useful information. This is the part of a checker that gives a clear, human-readable answer, and the exact steps are covered in how to verify Content Credentials.
That clarity is why the reader output has three states, not two: valid Content Credentials, an invalid or changed binding, or no Content Credentials found. The third state is the trap. A stripped manifest reads exactly like a file that was never signed, so a good checker reports the absence plainly and does not turn it into a claim that the file is clean, human-made, or unedited.
What is detectable but not readable
Watermarks are a different story, because extraction is keyed by design. As Chen and Wornell showed in 2001 in their work on quantization index modulation, reading a watermark’s payload generally requires the key that embedded it; without the key, a reader may confirm that a mark is present but cannot recover the identifier inside it. That presence-without-payload wall shapes what every watermark reader can reliably report. AudioSeal, from San Roman, Fernandez, Elsahar, Défossez and Furon (2024), is built exactly this way: a per-frame presence detector runs alongside a 16-bit message decoder, so a reader can flag that audio is watermarked even before, or without, reading the message. For images, the SynthID detector of Gowal, Bunel and Stimberg (2025) uses a conformal p-value test with a false-positive rate of 0.1 percent on worst-case transforms, and the “Watermark Anything” work of Sander, Fernandez and Durmus (2025) can even localize which region of an image carries a mark. In every case the reader surfaces detection, not the private contents.
What a reader cannot tell you
Three limits matter. First, absence is not proof of a clean file. A watermark may simply have been degraded below detection, the checker may not support that scheme, or the detector may lack the key; and a stripped C2PA manifest reads as no Content Credentials at all, silent and indistinguishable from a file that was never signed. Second, a signal is not the truth. As Golaszewski, Krawetz and Sherman (2026) put it, “C2PA provides provenance signals, not proof of authenticity”; a valid manifest tells you what was claimed and signed, not that the underlying scene was real. Third, none of these signals answers the question “is this AI?” A checker reports what is embedded, not what a model did. If detection is the real question, see is this image AI-generated? instead.
What to do with the result
What you do next depends on what the reader found.
| What you want to know | Where to go |
|---|---|
| Verify Content Credentials on a file | How to verify Content Credentials |
| Check an image for SynthID | How to check if an image has SynthID |
| Is my AI image watermarked | Is my AI image watermarked |
| Trace which copy leaked | What is forensic watermarking |
| Is this image or audio AI at all | Is this image AI-generated? |
| Investigate a suspicious file | What forensics can learn from a file |
A checker is a fast way to see the signals a file is willing to show you. It is not a lie detector, and, as the caveats above make clear, the most important thing it can do is tell you plainly when it has found nothing to report.
Sources
- Chen and Wornell (2001). Quantization Index Modulation: A Class of Provably Good Methods for Digital Watermarking and Information Embedding. IEEE Transactions on Information Theory.
- San Roman, Fernandez, Elsahar, Défossez and Furon (2024). AudioSeal. ICML.
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. arXiv:2510.09263.
- Sander, Fernandez and Durmus (2025). Watermark Anything. ICLR.
- Golaszewski, Krawetz, Sherman, et al. (2026). Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short. arXiv:2604.24890.
- Coalition for Content Provenance and Authenticity (C2PA) (2026) C2PA Technical Specification, version 2.4. Available at: https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html (Accessed: 3 July 2026).