Image signing API

  8 minute read  

Content Trust Manager’s image signing APIs enable you to sign images with C2PA (The Coalition for Content Provenance and Authenticity) compliant manifest ensuring authenticity and integrity of your content. When you sign, the API returns the image data in Base64-encoded format, which is then converted into a binary image file. The API also allows you to embed a customized manifest so as to correctly record the provenance of the image.

Verify the signed images via the verification tool within Content Trust Manager. Or use this link.

Prerequisites

Before making your first API call, make sure you have the following:

User certificate

Contact the DigiCert team to request an image signing user certificate. Visit Content Trust > Certificates on the demo environment to view your certificate credential details. You are not required to verify your identity to get a user certificate.

You use your user certificate to authenticate your identity while making calls to image signing APIs. The identity of the client is authenticated using the client authentication certificate.

Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.

Client authentication certificate

Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.

In Postman, add these under Settings > Certificates, set the HOST as https://clientauth.{clientName}.one.digicert.com and the PORT as 443. In code, configure your HTTP client to use them.

To create a client authentication certificate:

  1. Sign in to DigiCert ONE.
  2. In the top-right corner, select the profile icon > Admin profile > Client authentication certificates.
  3. Select Create client authentication certificate.
  4. Provide the following information:
    1. Nickname This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
    2. End date Enter the certificate expiration date. Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don’t, the API token integration will stop working.
    3. Encryption Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
    4. Signature hash algorithm Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
    5. Select Generate certificate.
    6. Copy the certificate’s password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request. This password is required for installation and API requests. You will not be able to retrieve it later.
    7. Select Download certificate. You cannot download it again. If lost, you must generate a new certificate.
    8. Remember the file path to your client authentication certificate, you will need to reference it later.
    9. Select Close.

Credential ID

Your credential ID is the nickname of User certificate in Content Trust Manager. Copy the user certificate nickname and use it in your request body.

  1. In the Content Trust menu, select Certificates.
  2. Hover your cursor over certificate nickname.
  3. Select the Copy icon.

PIN

You will receive an email with the subject line of Sign with your digital ID once your user certificate is created. This email includes the PIN associated with your user certificate via email. Make sure you keep this email safe so that you can easily retrieve it for signing images.

Authentication

In Postman, go to: Settings > Certificates and enter:

  • Host: clientauth.demo.one.digicert.com
  • Port: 443

After specifying the host and port, upload your client authentication certificate in the PFX file field. Then enter your certificate password.

Endpoints and request parameters

Endpoints

POST https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign

Request parameters

Headers

KeyValue
Acceptapplication/json
Content-Typeapplication/json

Body

KeyData typeMandatory/ OptionalDescription
credentialIdStringMandatoryYour credential ID is the nickname of certificate in Content Trust Manager. Copy the certificate nickname and use it in your request body.
hashAlgoStringMandatorySet this to the Object Identifier of the hash algorithm you want to use.
Example: Use 2.16.840.1.101.3.4.2.1 for SHA-256.
signAlgoStringMandatorySet this to the Object Identifier of the signature algorithm you want to use.
Example: Use 1.2.840.113549.1.1.10 for RSASSA-PSS.
signAlgoParamsStringMandatoryAlgorithm-specific parameters applicable when using RSASSA-PSS signatures.
Example: “MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg”.
pinStringMandatoryUse the PIN you received in Sign with your digital ID email.
numSignaturesIntegerMandatoryAlways use 1 in this field. Currently, the API can add only one signature at a time.
imageFileMandatoryUpload jpg/.jpeg image up to 4 MB.
manifestFileOptional

Response parameters

See response parameters below:

KeyData typeDescription
file_nameStringYour filename prefixed with “signed-”.
mime_typeStringimage/jpeg. This parameter tells how to interpret the data.
content_sizeIntSize of the encoded signed content (signed image) in bytes.
encoded_signed_contentString: Base64 encodedThe signed image provided in Base64 format. Decode it using any online Base64 decoder to get the binary file of the image which can then be verified using Content Trust Manager.
manifest_fileString: JSON formatThe JSON file received under this parameter is the manifest which is embedded in the signed image. It includes the active manifest ID, the manifest with details such as the claim generator, file title, format, unique instance ID, and label. It also contains assertions like a CreativeWork entry with the author’s name and a cryptographic hash describing the file’s integrity.

Example request without a custom manifest

Send the request with cURL. Replace the following with your own parameters:

  • credentialId - Replace it with your user Certificate nickname.
  • pin - Replace it with the PIN you received in Sign with your digital ID email.
  • image-@ - Replace it with your image path. If you are using Postman, select a file from your device under the image parameter.
curl --location 'https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign' 
\  
--header 'Accept: application/json' \  
--header 'Content-Type: application/json' \  
--form 'credentialId="basic_np-14-08-2025-11-01-44-165"' \  
--form 'hashAlgo="2.16.840.1.101.3.4.2.1"' \  
--form 'signAlgo="1.2.840.113549.1.1.10"' \  
--form 'signAlgoParams="MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg"' \  
--form 'pin="sha123"' \  --form 'numSignatures="1"' \  
--form  'image=@"/Users/username/Documents/unsignedImage.jpg"'  '

Example response without a custom manifest

{ 
    "file_name": "signed-4399.jpg", 
    "mime_type": "image/jpeg", 
    "content_size": 3598386, 
    "encoded_signed_content": "<a very long string which is your signed image data base64 encoded, truncated in this example for brevity> ", 
    "manifest_file": "{\n  \"active_manifest\": \"urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8\",\n  \"manifests\": {\n    \"urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8\": {\n      \"claim_generator\": \"Digicert_Content_Trust_Manager c2pa-rs/0.18.1\",\n      \"title\": \"4399.jpg\",\n      \"format\": \"image/jpeg\",\n      \"instance_id\": \"xmp:iid:e7c6187e-785e-4939-93eb-d33fc37ff9f0\",\n      \"ingredients\": [],\n      \"assertions\": [\n        {\n          \"label\": \"stds.schema-org.CreativeWork\",\n          \"data\": {\n            \"@context\": \"https://schema.org\",\n            \"@type\": \"CreativeWork\",\n            \"author\": [\n              {\n                \"@type\": \"Person\",\n                \"email\": \"shantanu.soni@digicert.com\",\n                \"name\": \"Shantanu RajSoni\"\n              }\n            ]\n          },\n          \"kind\": \"Json\"\n        },\n        {\n          \"label\": \"c2pa.hash.data\",\n          \"data\": {\n            \"alg\": \"sha256\",\n            \"exclusions\": [\n              {\n                \"length\": 1800667,\n                \"start\": 20\n              }\n            ],\n            \"hash\": \"Zid6b41fQHefXtQcBilodph8IfTbM+0cz0RYJw1GxNI=\",\n            \"name\": \"jumbf manifest\",\n            \"pad\": \"<omitted>\"\n          }\n        }\n      ],\n      \"label\": \"urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8\"\n    }\n  },\n  \"validation_status\": [\n    {\n      \"code\": \"claimSignature.mismatch\",\n      \"url\": \"self#jumbf=/c2pa/urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8/c2pa.signature\",\n      \"explanation\": \"claim signature is not valid\"\n    }\n  ]\n}" 
}

Example request with a custom manifest

Send the request with cURL. Replace the following with your own parameters:

  • credentialId - Replace it with your user Certificate nickname.
  • pin - Replace it with the PIN you received in Sign with your digital ID email.
  • image-@ - Replace it with your image path. If you are using Postman, select a file from your device under the image parameter.
curl --location 'https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign?Accept =application%2Fjson&Content-Type =application%2Fjson' \
--header 'Cookie: visid_incap_2533550=/xdA/SbiSvOTEEdWgVq5lHmOnWgAAAAAQUIPAAAAAAA89dbzRiAbRMj4JblxUAfn; visid_incap_2499114=hDFJfApTT7eAykH2lXwM034znGgAAAAAQUIPAAAAAAAo1k/NIqBxXagUaRIBNrEP' \
--form 'credentialId="shantanu_bnpo_pin_test_11_Nov_2025"' \
--form 'hashAlgo="2.16.840.1.101.3.4.2.1"' \
--form 'signAlgo="1.2.840.113549.1.1.10"' \
--form 'signAlgoParams="MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg"' \
--form 'pin="sha123"' \
--form 'manifest=@"/Users/shantanu.soni/Documents/manifest_template_proper.json"' \
--form 'numSignatures="1"' \
--form 'image=@"/Users/shantanu.soni/Downloads/unsigned.jpg"'

Example response with a custom manifest

{
    "file_name": "signed-unsigned.jpg",
    "mime_type": "image/jpeg",
    "content_size": "2088916",
    "encoded_signed_content": "/9j/4AAQS……<truncated>……..2Q==",
    "manifest_file": "{\n  \"active_manifest\": \"urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29\",\n  \"manifests\": {\n    \"urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29\": {\n      \"claim_generator_info\": [\n        {\n          \"name\": \"c2pa-rs\",\n          \"version\": \"0.64.0\",\n          \"org.contentauth.c2pa_rs\": \"0.64.0\"\n        }\n      ],\n      \"title\": \"Sample.jpg\",\n      \"instance_id\": \"xmp:iid:edae012c-0195-4d34-8e10-b5773dd602f9\",\n      \"thumbnail\": {\n        \"format\": \"image/jpeg\",\n        \"identifier\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.assertions/c2pa.thumbnail.claim\"\n      },\n      \"ingredients\": [],\n      \"assertions\": [\n        {\n          \"label\": \"c2pa.actions.v2\",\n          \"data\": {\n            \"actions\": [\n              {\n                \"action\": \"c2pa.created\",\n                \"digitalSourceType\": \"http://c2pa.org/digitalsourcetype/empty\\"\n              }\n            ],\n            \"allActionsIncluded\": true\n          }\n        },\n        {\n          \"label\": \"stds.schema-org.CreativeWork\",\n          \"data\": {\n            \"@context\": \"https://schema.org\\",\n            \"@type\": \"CreativeWork\",\n            \"author\": [\n              {\n                \"name\": \"Shantanu Raj Soni Person\",\n                \"@type\": \"Organization\"\n              }\n            ]\n          },\n          \"kind\": \"Json\"\n        }\n      ],\n      \"signature_info\": {\n        \"alg\": \"Ps256\",\n        \"issuer\": \"Shantanu Raj Soni Person\",\n        \"common_name\": \"Shantanu Raj Soni DDS SRS3\",\n        \"cert_serial_number\": \"562001232692746966272992097391089716080670060825\",\n        \"time\": \"2025-11-20T09:35:12+00:00\"\n      },\n      \"label\": \"urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29\"\n    }\n  },\n  \"validation_results\": {\n    \"activeManifest\": {\n      \"success\": [\n        {\n          \"code\": \"timeStamp.validated\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.signature\",\n          \"explanation\": \"timestamp message digest matched: DigiCert SHA256 RSA4096 Timestamp Responder 2025 1\"\n        },\n        {\n          \"code\": \"claimSignature.insideValidity\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.signature\",\n          \"explanation\": \"claim signature valid\"\n        },\n        {\n          \"code\": \"claimSignature.validated\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.signature\",\n          \"explanation\": \"claim signature valid\"\n        },\n        {\n          \"code\": \"assertion.hashedURI.match\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.assertions/c2pa.thumbnail.claim\",\n          \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/c2pa.thumbnail.claim\"\n        },\n        {\n          \"code\": \"assertion.hashedURI.match\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.assertions/c2pa.actions.v2\",\n          \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/c2pa.actions.v2\"\n        },\n        {\n          \"code\": \"assertion.hashedURI.match\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.assertions/c2pa.hash.data\",\n          \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/c2pa.hash.data\"\n        },\n        {\n          \"code\": \"assertion.hashedURI.match\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.assertions/stds.schema-org.CreativeWork\",\n          \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/stds.schema-org.CreativeWork\"\n        },\n        {\n          \"code\": \"assertion.dataHash.match\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.assertions/c2pa.hash.data\",\n          \"explanation\": \"data hash valid\"\n        }\n      ],\n      \"informational\": [\n        {\n          \"code\": \"timeStamp.untrusted\",\n          \"url\": \"self#jumbf=/c2pa/urn:c2pa:54a226db-6734-4804-ad4b-450ddba45c29/c2pa.signature\",\n          \"explanation\": \"timestamp cert untrusted: DigiCert SHA256 RSA4096 Timestamp Responder 2025 1\"\n        }\n      ],\n      \"failure\": []\n    }\n  },\n  \"validation_state\": \"Valid\"\n}"
}

Typical returned HTTP response codes

Success

HTTP Status Code: 200

Your request is acknowledged, and the signed image (base 64 encoded) is returned along with other metadata.

Errors

HTTP Status Code: 4xx

Indicates a client-side error, which may include issues with your request body, missing parameters, or problems with client authentication certificates.

HTTP Status Code: 5xx

Indicates a server-side error, which may include internal server failures, unhandled exceptions, or temporary issues preventing the server from fulfilling the request.

Troubleshooting tips

  • Define the correct HOST (clientauth.demo.one.digicert.com:443) where you add the client authentication certificate.
  • Mention the correct file path under the image parameter.
  • Use the correct pin and credentialId.
  • Ensure that your image is in .jpg/.jpegformat.
  • Ensure that your user certificate has an Active credential status. Contact support if it displays any other status.

API reference

To find descriptions of all endpoints in the Content Trust Manager REST API, example requests and responses, and details about parameters, visit the Swagger UI reference documentation.