Image signing API

  7 minute read  

The DigiCert C2PA Image Signing API enables users to sign images with a C2PA-compliant manifest, ensuring content authenticity and integrity. Upon signing, the API returns the image data in Base64-encoded format, which can be converted into a binary image file.

Verify the signed images via the verification tool within Content Trust Manager. Or use this link.

Prerequisites

Before making your first API call, make sure you have the following:

Client authentication certificate

Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.

In Postman, add these under Settings > Certificates, set the HOST as https://clientauth.{clientName}.one.digicert.com and the PORT as 443. In code, configure your HTTP client to use them.

To create a client authentication certificate:

  1. Sign in to DigiCert ONE.
  2. In the top-right corner, select the profile icon > Admin profile > Client authentication certificates.
  3. Select Create client authentication certificate.
  4. Provide the following information:
    1. Nickname This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
    2. End date Enter the certificate expiration date. Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don’t, the API token integration will stop working.
    3. Encryption Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
    4. Signature hash algorithm Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
    5. Select Generate certificate.
    6. Copy the certificate’s password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request. This password is required for installation and API requests. You will not be able to retrieve it later.
    7. Select Download certificate. You cannot download it again. If lost, you must generate a new certificate.
    8. Remember the file path to your client authentication certificate, you will need to reference it later.
    9. Select Close.

Authentication

In Postman, go to: Settings > Certificates and enter:

  • Host: clientauth.demo.one.digicert.com
  • Port: 443

After specifying the host and port, upload your client authentication certificate in the PFX file field. Then enter your certificate password.

Endpoints and request parameters

Endpoints

POST https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/sign

Request parameters

Headers

KeyValue
Acceptapplication/json
Content-Typeapplication/json

Body

KeyData typeMandatory/ OptionalDescription
hashAlgoStringMandatorySet this to SHA-256.
signAlgoStringMandatorySet this to the Object Identifier of the signature algorithm you want to use.
Example: Use 1.2.840.113549.1.1.10 for RSASSA-PSS.
signAlgoParamsStringMandatorySet this to MTIzNDQ= .
accountIdStringMandatoryEnter your Account ID. You can find this value on the Account Details page. It follows this format: 599020de-5ea7-4c0c-ac01-ceb4bb9802b3
imageFileMandatoryUpload .jpg/.png image up to 20 MB.
schemaFieldEnum (comma-separated values allowed)MandatorySpecify one or more of the following to indicate how you want to be identified in relation to the signed content: author, creator, publisher.

Response parameters

See response parameters below:

KeyData typeDescription
file_nameStringYour filename prefixed with “signed-”.
mime_typeStringimage/jpeg. This parameter tells how to interpret the data.
hash_algoStringThis is the algorithm which was used to create hashes.
sign_algoStringThis is the OID of the algorithm used to create signatures.
encoded_signed_contentString: Base64 encodedThe signed image provided in Base64 format. Decode it using any online Base64 decoder to get the binary file of the image which can then be verified using Content Trust Manager.
signed_manifestString: JSON formatThe JSON file received under this parameter is the manifest which is embedded in the signed image. It includes the active manifest ID, the manifest with details such as the claim generator, file title, format, unique instance ID, and label. It also contains assertions like a CreativeWork entry with the author’s name and a cryptographic hash describing the file’s integrity.

Example request

Send the request with cURL. Replace the following with your own parameters:

  • image-@ - Replace it with your image path. If you are using Postman, select a file from your device under the image parameter.
curl –location 'https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/sign' \   
--header 'Cookie: visid_incap_2533550=/xdA/SbiSvOTEEdWgVq5lHmOnWgAAAAAQUIPAAAAAAA89dbzRiAbRMj4JblxUAfn; incap_ses_935_2499114=Fe1keigTblGnl1C9tcn5DLE6nGkAAAAASI2ZttBq6ZBt8aT8YUmG3Q==; visid_incap_2499114=hDFJfApTT7eAykH2lXwM034znGgAAAAAQUIPAAAAAAAo1k/NIqBxXagUaRIBNrEP' \ 
--form 'hashAlgo="SHA256"' \ 
--form 'signAlgo="1.2.840.113549.1.1.10"' \ 
--form 'signAlgoParams="MTIzNDQ="' \ 
--form 'accountId="599020de-5ea7-4c0c-ac01-ceb4bb9802b3"' \ 
--form 'image=@"/Users/shantanu.soni/Downloads/All old 20 Feb 2026/01f6c3cc-98d1-45a7-8d05-d82358258061.png"' \ 
--form 'schemaField="author,publisher"'

Example response

   { 
    "file_name": "signed-01f6c3cc-98d1-45a7-8d05-d82358258061.png", 
    "mime_type": "image/png", 
    "hash_algo": "SHA256", 
    "sign_algo": "1.2.840.113549.1.1.10", 
    "encoded_signed_content": "<a very long string which is your signed image data base64 encoded, truncated in this example for brevity>", 
    "signed_manifest": "{\n \"active_manifest\": \"urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6\",\n \"manifests\": {\n \"urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6\": {\n \"claim_generator_info\": [\n {\n \"name\": \"DigiCert Content Trust Manager\",\n \"version\": \"1.0.0\",\n \"org.contentauth.c2pa_rs\": \"0.75.10\"\n }\n ],\n \"title\": \"signed-01f6c3cc-98d1-45a7-8d05-d82358258061.png\",\n \"instance_id\": \"xmp:iid:d5031fde-084b-4f06-a37b-fa6576a805fd\",\n \"thumbnail\": {\n \"format\": \"image/png\",\n \"identifier\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.assertions/c2pa.thumbnail.claim\"\n },\n \"assertions\": [\n {\n \"label\": \"c2pa.actions.v2\",\n \"data\": {\n \"actions\": [\n {\n \"action\": \"c2pa.created\",\n \"softwareAgent\": \"DigiCert C2PA SDK/1.0.0\"\n }\n ],\n \"allActionsIncluded\": true\n },\n \"created\": true\n },\n {\n \"label\": \"stds.schema-org\",\n \"data\": {\n \"@context\": \"https://schema.org\",\n \"@type\": \"CreativeWork\",\n \"author\": [\n {\n \"@type\": \"Organization\",\n \"name\": \"DigiCert\"\n }\n ],\n \"creditText\": \"Generated by DigiCert C2PA SDK for DigiCert\",\n \"publisher\": [\n {\n \"@type\": \"Organization\",\n \"name\": \"DigiCert\"\n }\n ]\n }\n }\n ],\n \"signature_info\": {\n \"alg\": \"Ps256\",\n \"issuer\": \"DigiCert Inc\",\n \"common_name\": \"DigiCert Inc\",\n \"cert_serial_number\": \"465018389657898180845506272757870295604022293835\",\n \"time\": \"2026-02-24T04:19:05+00:00\"\n },\n \"label\": \"urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6\",\n \"claim_version\": 2\n }\n },\n \"validation_status\": [\n {\n \"code\": \"signingCredential.untrusted\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.signature\",\n \"explanation\": \"signing certificate untrusted\"\n }\n ],\n \"validation_results\": {\n \"activeManifest\": {\n \"success\": [\n {\n \"code\": \"timeStamp.validated\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.signature\",\n \"explanation\": \"timestamp message digest matched: DigiCert SHA256 RSA4096 Timestamp Responder 2025 1\"\n },\n {\n \"code\": \"claimSignature.insideValidity\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.signature\",\n \"explanation\": \"claim signature valid\"\n },\n {\n \"code\": \"claimSignature.validated\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.signature\",\n \"explanation\": \"claim signature valid\"\n },\n {\n \"code\": \"assertion.hashedURI.match\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.assertions/c2pa.actions.v2\",\n \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/c2pa.actions.v2\"\n },\n {\n \"code\": \"assertion.hashedURI.match\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.assertions/c2pa.hash.data\",\n \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/c2pa.hash.data\"\n },\n {\n \"code\": \"assertion.hashedURI.match\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.assertions/c2pa.thumbnail.claim\",\n \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/c2pa.thumbnail.claim\"\n },\n {\n \"code\": \"assertion.hashedURI.match\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.assertions/stds.schema-org\",\n \"explanation\": \"hashed uri matched: self#jumbf=c2pa.assertions/stds.schema-org\"\n },\n {\n \"code\": \"assertion.dataHash.match\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.assertions/c2pa.hash.data\",\n \"explanation\": \"data hash valid\"\n }\n ],\n \"informational\": [\n {\n \"code\": \"timeStamp.untrusted\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.signature\",\n \"explanation\": \"timestamp cert untrusted: DigiCert SHA256 RSA4096 Timestamp Responder 2025 1\"\n }\n ],\n \"failure\": [\n {\n \"code\": \"signingCredential.untrusted\",\n \"url\": \"self#jumbf=/c2pa/urn:c2pa:bd7e8baa-71d1-4cbf-a797-026d64e7fea6/c2pa.signature\",\n \"explanation\": \"signing certificate untrusted\"\n }\n ]\n }\n },\n \"validation_state\": \"Valid\"\n}"  
    }

Typical returned HTTP response codes

CaseResponse CodeErrorError Description
All params correct200NA
Wrong credentialId passed400invalid_requestInvalid parameter credentialID.
Wrong hashAlgo passed400invalid_requestInvalid parameter hashAlgo.
Wrong signAlgo passed400invalid_requestMissing (or invalid type) string parameter signAlgo.
Wrong signAlgoParams passed400invalid_requestMissing (or invalid type) string parameter signAlgoParams.
Wrong PIN passed400invalid_requestThe PIN is invalid.
Server issues500server_errorAn unexpected condition occurred on the server. Please try again later or contact support if the issue persists.
Upstream APIs (e.g., CSC APIs) failing500Upstream service errorThe server received an invalid response from an upstream dependency. Please retry the request after some time.
Service unavailable500temporarily_unavailableThe service is temporarily unavailable due to maintenance or high load. Please try again after some time.
Request timeout504request_timeoutThe server did not receive a timely response from an upstream service. Please retry your request later.

Troubleshooting tips

  • Define the correct HOST (clientauth.demo.one.digicert.com:443) where you add the client authentication certificate.
  • Mention the correct file path under the image parameter.
  • Ensure that your image is in .jpg/.png format.

API reference

To find descriptions of all endpoints in the Content Trust Manager REST API, example requests and responses, and details about parameters, visit the Swagger UI reference documentation.