Skip to main content
← All resources

How to prove an image is authentic

Someone questions a photo you took. Maybe a customer claims your product shot is fake. Maybe a platform flags your image as AI-generated when it isn't. Maybe you just want a record that this frame came out of your camera at a specific time and hasn't been altered since. "Prove it's real" sounds simple until you try, because the tools people reach for first were never built to survive a challenge. This is a practical walk through the options, what each one actually establishes, and where they fall apart when someone pushes back.

First, get specific about the claim

"Authentic" is three different claims wearing one word. Sort out which one you need before you pick a tool.

  • Integrity. This file hasn't been changed since a known moment. No edited pixels, no swapped metadata.
  • Provenance. This is where the file came from. A specific camera, a specific person, a specific generation event.
  • Not-AI (or disclosed-AI). A human captured this, or conversely, a model produced it and that's labeled.

Most disputes are really an integrity plus provenance question. "Prove the photo is real" usually means "prove it existed in this exact form at this time and came from you." Keep that in mind, because some popular methods answer none of the three.

The methods people try first

EXIF metadata

Every camera and phone writes EXIF data: timestamp, GPS, device model, exposure settings. It feels like proof. It isn't. EXIF is plain text stored alongside the image, and anyone can rewrite it with a free tool in seconds. It's also silently stripped the moment you upload to most social platforms or messaging apps. EXIF is useful context for you. It establishes nothing to a skeptic, because there's no signature binding it to the pixels. Treat it as a note-to-self, not evidence.

Reverse image search

Running the image through a search engine tells you where else it appears online and sometimes when it first surfaced. That helps you catch a stolen or recycled image. It does not prove your copy is unedited, and it says nothing about a brand-new photo that has never been published. Good for catching reuse, useless for proving originality.

"AI detector" tools

Detectors score how likely an image was machine-generated. They're probabilistic classifiers, and they're wrong often enough in both directions that you can't lean on them. A real photo gets flagged as synthetic; a generated image passes clean. A score is not a proof, and the models shift faster than the detectors chasing them. Fine as a first-pass filter, not something you'd stake a dispute on.

Content Credentials (C2PA)

This is the serious one. C2PA, the standard behind Adobe's Content Credentials, attaches a signed manifest to the file describing how it was made and edited. Some newer cameras write it at capture, some editing tools add to it, and a public viewer can display the chain. When it's present and intact, it's genuinely strong provenance.

The catch is coverage. C2PA only helps if the capture device or tool wrote a manifest in the first place, and manifests can be stripped by any pipeline that doesn't preserve them, which today is most of them. Adoption is real and growing, but you can't retrofit it onto an image that was never signed at creation. It answers provenance well when the chain exists. It can't answer anything for the billions of images that were never in the chain.

Cryptographic receipts

Instead of trusting metadata inside the file, you hash the file and sign that hash with a private key, then timestamp it against independent authorities. The output is a receipt: a compact, verifiable record that says "this exact byte sequence existed at this moment, signed by this key." Change one pixel and the hash no longer matches, so tampering is self-evident. Anyone can verify it later without contacting you, because the math checks out against public keys and public timestamps. This is the method that holds up under adversarial pressure, and it's what the rest of this guide is built around.

What actually holds up when it's challenged

The test isn't "does this look legit today." It's "does this survive someone motivated to call it fake." Under that test:

  • Editable or strippable evidence fails. EXIF, unsigned metadata, and screenshots all fall to "you could have changed that."
  • Probabilistic evidence fails. A detector score invites a competing score.
  • Signed, timestamped, independently verifiable evidence holds. If the integrity check is cryptographic and the timestamp comes from parties with no stake in your claim, the "you faked it" argument has nowhere to stand.

That last property, independence, is what separates a durable record from a self-serving one. A signature you control alone is weaker than a signature plus timestamps anchored to authorities that don't answer to you.

Where CertNode fits, honestly

CertNode is a cryptographic proof engine. What's live and verifiable today: you hash a file, and CertNode issues an ES256 signed receipt, timestamps it against two independent RFC 3161 authorities, anchors it to Bitcoin through OpenTimestamps, and writes it to an append-only transparency log. Anyone can verify the result at a public URL, with an offline single-file verifier, or through the @certnode/verify command line tool. No account needed to check a receipt. For AI-generated content, the same engine signs model outputs so you can disclose provenance in line with FRE 902(13)/(14) and EU AI Act Article 50.

Being straight about the boundary: CertNode does not currently produce standards-compliant C2PA manifests, and its receipts do not display in Adobe's Content Credentials viewer. Native C2PA and Content Credentials export is in development and not yet production-signed. If your only requirement is a badge inside the Adobe viewer, use a C2PA-native tool today.

What CertNode gives you right now is the durable proof layer underneath the format question. A CertNode receipt establishes integrity and timestamped provenance for any file, whether or not it ever carried a C2PA manifest, and it stays verifiable independent of any one vendor's viewer. The C2PA-format interop is a road we're building onto that foundation, not a claim we're making before it's real.

A practical approach you can use now

  1. Stop relying on EXIF and screenshots for anything you might have to defend.
  2. For images you create or capture, generate a cryptographic receipt at the moment of creation, while integrity is still unambiguous.
  3. Keep the receipt with the file. When challenged, hand over the verification link and let the other side check it themselves.
  4. If you also publish into ecosystems that read Content Credentials, layer a C2PA tool on top for the badge. The two aren't in conflict.

Try it, and tell us what you need

You can verify any CertNode receipt right now, or generate one for a file and see what the record looks like before you commit to anything.

If what you actually want is native Content Credentials export, the C2PA manifest that shows in the Adobe viewer, tell us. We're building that path, and the fastest way to move it up the queue is to hear from people who'd use it.

Content Credentials waitlist

Get notified when native C2PA / Content Credentials export ships. No spam, one email when it's live.

The receipt engine described above is live today. C2PA-format export is in development.