Manifest signing API
The DigiCert® C2PA manifest signing API lets you sign a C2PA manifest so you can embed it into a media file. After signing, you can verify the media using Verify Content tool in the Content Trust Manager (supports JPG and PNG), or contentcredentials.org/verify (supports all file formats).
Note
This API is currently in beta and uses a private PKI. Because of this, verification on contentcredentials.org may be partly unsuccessful and some signatures may appear invalid. This behavior is expected when using private PKI.
This API is useful if you want to reduce data traffic between your systems and DigiCert’s services and if you prefer to sign media files locally with the C2PA tool, which is a command line application.
Prerequisites
To use this API, make sure you have the following:
DigiCert ONE account with Content Trust Manager credentials (currently available on the demo environment)
User certificate
A user certificate is required to sign manifests. Users with Client Admin and Validation Specialist roles can create user certificates for users with the Document Signer role.
To create a user certificate:
In Content Trust Manager, go to Certificates > All credentials > Create certificate.
Enter a certificate nickname.
Note
You will use this nickname as the Credential ID in API requests.
Select the Document Signer user who will own the certificate.
Under Product, select Basic Natural Person – Organization.
When the certificate is created, the owner receives an email titled Sign with your digital ID. This email includes the certificate PIN. Reset the PIN through the Content Trust Manager by navigating to Certificates > User certificates > Reset PIN.
Client authentication certificate
Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.
In Postman, add these under Settings > Certificates, set the HOST as https://clientauth.demo.one.digicert.com/ and the PORT as 443. In code, configure your HTTP client to use them.
To create a client authentication certificate:
Sign in to DigiCert ONE.
In the top-right corner, select the profile icon > Admin profile > Client authentication certificates.
Select Create client authentication certificate.
Provide the following information:
Nickname
This name is the display name on the Admin details page in the Authentication certificates section. The name must be unique and only include letters, numbers, spaces, dashes, and underscores.
End date
Enter the certificate expiration date.
Note when the authentication certificate expires. You must generate a new certificate and update all API integrations using the certificate before it expires. If you don't, the API token integration will stop working.
Encryption
Select an encryption algorithm to use for securing communications. DigiCert recommends AES (Advanced Encryption Standard), which is the default selection.
Signature hash algorithm
Select a hash function to use for verifying data integrity. DigiCert recommends SHA-256, which is the default selection.
Select Generate certificate.
Copy the certificate's password and store it in a secure location. You will need to use it later when installing the certificate or using it in your certificate request. This password is required for installation and API requests. You will not be able to retrieve it later.
Select Download certificate. You cannot download it again. If lost, you must generate a new certificate.
Remember the file path to your client authentication certificate, you will need to reference it later.
Select Close.
Credential ID
Your credential ID is the nickname of User certificate in Content Trust Manager. Copy the user certificate nickname and use it in your request body.
In the Content Trust menu, select Certificates.
Hover your cursor over certificate nickname.
Select the Copy icon.
PIN
You will receive an email with the subject line of Sign with your digital ID once your user certificate is created. This email includes the PIN associated with your user certificate via email. Make sure you keep this email safe so that you can easily retrieve it for signing images. Reset the PIN through the Content Trust Manager by navigating to Certificates > User certificates > Reset PIN.
Authentication
This API requires two types of authentication:
User certificate: identifies the person signing the manifest
Client authentication certificate: identifies the calling client through mTLS
You will need:
Credential ID
The nickname you assigned to your user certificate. Find this under Dashboard > Certificates > User certificates.
PIN
The certificate PIN sent in the Sign with your digital ID email.You can reset it from Certificates > User Certificates > Reset PIN.
Client authentication certificate
In Postman, go to: Settings > Certificates and enter:
Host: clientauth.demo.one.digicert.com
Port: 443
After specifying the host and port, upload your client authentication certificate in the PFX file field. Then enter your certificate password.
In code, configure your HTTP client to present the certificate during the TLS handshake. Only users with the Document Signer role can own and use user certificates.
API Endpoint
Endpoint
POST https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign
Headers
Key | Value |
|---|---|
Accept | application/json |
Content-Type | application/json |
Request body parameters
All body parameters below are mandatory.
Key | Data type | Description |
|---|---|---|
credentialId | String | Nickname of your user certificate. |
hashAlgo | String | Hash algorithm OID. Example: 2.16.840.1.101.3.4.2.1 (SHA-256). |
signAlgo | String | Signature algorithm OID. Example: 1.2.840.113549.1.1.10 (RSASSA-PSS). |
signAlgoParams | String | Algorithm parameters for RSASSA-PSS. Example: MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg |
pin | String | PIN of the user certificate. |
numSignatures | Positive integer | Set to 1. The API supports one signature per call. |
manifest | File | The manifest file to sign (JSON). The author value must match the CN or O in your user certificate. |
If the author name does not match, the API returns an error such as:
Author name in manifest does not match the certificate. Expected CN: <CN> or Organization: <O>, but found: [<value>].
Response body parameters
Key | Data type | Description |
|---|---|---|
signed_manifest | String | The signed manifest, returned as a JSON string. You can embed this into your media file using the C2PA tool. |
Example cURL request
curl --location 'https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign' \ --form 'credentialId="your_certificate_nickname"' \ --form 'hashAlgo="2.16.840.1.101.3.4.2.1"' \ --form 'signAlgo="1.2.840.113549.1.1.10"' \ --form 'signAlgoParams="MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg"' \ --form 'pin="your_pin"' \ --form 'manifest=@"/path/to/your/manifest.json"' \ --form 'numSignatures="1"'
Replace:
credentialId with your user certificate nickname
pin with your certificate PIN
manifest with your manifest file path
Example manifest (JSON)
Make sure the manifest is valid JSON and has correct indentation.
{
"claim_generator": "Digicert_Content_Trust_Manager",
"title": "Sample.jpg",
"format": "image/jpeg",
"instance_id": "$instanceId",
"assertions": [
{
"label": "stds.schema-org.CreativeWork",
"data": {
"@context": "https://schema.org",
"@type": "CreativeWork",
"author": [
{
"@type": "Organization",
"name": "Shantanu Raj Soni Person"
}
]
}
}
]
}
Example response
{ "signed_manifest": "{\n "manifest_id" : "urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9",\n "manifest" : {\n "claim_generator_info" : [ {\n "name" : "c2pa-rs",\n "version" : "0.64.0",\n "org.contentauth.c2pa_rs" : "0.64.0"\n } ],\n "title" : "Sample.jpg",\n "instance_id" : "xmp:iid:67bccc1f-e3df-46ff-b2a8-9422a442c623",\n "thumbnail" : {\n "format" : "image/jpeg",\n "identifier" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.assertions/c2pa.thumbnail.claim"\n },\n "ingredients" : [ ],\n "assertions" : [ {\n "label" : "c2pa.actions.v2",\n "data" : {\n "actions" : [ {\n "action" : "c2pa.created",\n "digitalSourceType" : "http://c2pa.org/digitalsourcetype/empty\"\n } ],\n "allActionsIncluded" : true\n }\n }, {\n "label" : "stds.schema-org.CreativeWork",\n "data" : {\n "@context" : "https://schema.org\",\n "@type" : "CreativeWork",\n "author" : [ {\n "name" : "Shantanu Raj Soni Person",\n "@type" : "Organization"\n } ]\n },\n "kind" : "Json"\n } ],\n "signature_info" : {\n "alg" : "Ps256",\n "issuer" : "Shantanu Raj Soni Person",\n "common_name" : "Shantanu Raj Soni DDS SRS3",\n "cert_serial_number" : "562001232692746966272992097391089716080670060825",\n "time" : "2025-11-14T11:59:44+00:00"\n },\n "label" : "urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9"\n },\n "validation_results" : {\n "activeManifest" : {\n "success" : [ {\n "code" : "timeStamp.validated",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.signature",\n "explanation" : "timestamp message digest matched: DigiCert SHA256 RSA4096 Timestamp Responder 2025 1"\n }, {\n "code" : "claimSignature.insideValidity",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.signature",\n "explanation" : "claim signature valid"\n }, {\n "code" : "claimSignature.validated",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.signature",\n "explanation" : "claim signature valid"\n }, {\n "code" : "assertion.hashedURI.match",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.assertions/c2pa.thumbnail.claim",\n "explanation" : "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.thumbnail.claim"\n }, {\n "code" : "assertion.hashedURI.match",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.assertions/c2pa.actions.v2",\n "explanation" : "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.actions.v2"\n }, {\n "code" : "assertion.hashedURI.match",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.assertions/c2pa.hash.data",\n "explanation" : "hashed uri matched: self#jumbf=c2pa.assertions/c2pa.hash.data"\n }, {\n "code" : "assertion.hashedURI.match",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.assertions/stds.schema-org.CreativeWork",\n "explanation" : "hashed uri matched: self#jumbf=c2pa.assertions/stds.schema-org.CreativeWork"\n }, {\n "code" : "assertion.dataHash.match",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.assertions/c2pa.hash.data",\n "explanation" : "data hash valid"\n } ],\n "informational" : [ {\n "code" : "timeStamp.untrusted",\n "url" : "self#jumbf=/c2pa/urn:c2pa:4fc9c59b-06de-4bc9-bae6-3760298939e9/c2pa.signature",\n "explanation" : "timestamp cert untrusted: DigiCert SHA256 RSA4096 Timestamp Responder 2025 1"\n } ],\n "failure" : [ ]\n }\n },\n "validation_state" : "Valid"\n}" } Response codes
Success
200 OK – Request succeeded and the signed manifest was returned.
Errors
Status | Code | Meaning |
|---|---|---|
400 | MISSING_FIELD | A required field is missing. |
400 | INVALID_MANIFEST_STRUCTURE | Manifest does not contain a CreativeWork assertion. |
400 | MISSING_AUTHOR | Manifest does not include an author. |
400 | AUTHOR_CERT_MISMATCH | Author does not match CN or O in the certificate. |
400 | INVALID_USER_CERT | User certificate is invalid, revoked, or inactive. |
400 | INVALID_PIN | Incorrect certificate PIN. |
400 | INVALID_CLIENT_AUTH | Client authentication certificate is missing or invalid. |
500 | UNEXPECTED_ERROR | Server-side error. |
Troubleshooting tips
Confirm the correct host is set for your client authentication
certificate:clientauth.demo.one.digicert.com:443.Check that the manifest file path is correct.
Make sure the pin and credentialId match your user certificate.
Ensure the manifest file is valid JSON.
Confirm that your user certificate shows a credential status of Active. If not, contact your DigiCert representative.