Image signing API
Content Trust Manager’s image signing APIs enable you to sign images with C2PA (The Coalition for Content Provenance and Authenticity) compliant manifest ensuring authenticity and integrity of your content. When you sign, the API returns the image data in Base64-encoded format, which is then converted into a binary image file.
Verify the signed images via the verification tool within Content Trust Manager. Or use this link.
Note
As these APIs are a part of a beta program and use private PKI, your signature might appear invalid or partially unsuccessful on contentcredentials.org.
Before making your first API call, make sure you have the following:
DigiCert ONE account
Content Trust Manager credentials (currently available on the demo environment)
User certificate
Contact the DigiCert team to request an image signing user certificate. Visit Content Trust > Certificates on the demo environment to view your certificate credential details. You are not required to verify your identity to get a user certificate.
You use your user certificate to authenticate your identity while making calls to image signing APIs. The identity of the client is authenticated using the client authentication certificate.
Image signing APIs follow Mutual Transport Layer Security (mTLS) protocol. You are required to create a client authentication certificate to complete the mTLS handshake.
Client authentication certificate
Create a client authentication certificate
A client authentication certificate is an X.509 digital certificate that verifies your identity as a DigiCert ONE user when you make requests via the DigiCert ONE API or client tools. It enables secure communication between applications.
Follow the procedure below based on your user type and role:
Credential ID
Your credential ID is the nickname of User certificate in Content Trust Manager. Copy the user certificate nickname and use it in your request body.
In the Content Trust menu, select Certificates.
Hover your cursor over certificate nickname.
Select the Copy icon.
PIN
You will receive an email with the subject line of Sign with your digital ID once your user certificate is created. This email includes the PIN associated with your user certificate via email. Make sure you keep this email safe so that you can easily retrieve it for signing images.
URL: https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign
Method: POST
Headers
Key | Value |
|---|---|
Accept | application/json |
Content-Type | application/json |
Body
All body parameters below are mandatory.
Key | Data type | Description |
|---|---|---|
credentialId | String | Your credential ID is the nickname of certificate in Content Trust Manager. Copy the certificate nickname and use it in your request body. |
hashAlgo | String | Set this to the Object Identifier of the hash algorithm you want to use. Example: Use 2.16.840.1.101.3.4.2.1 for SHA-256. |
signAlgo | String | Set this to the Object Identifier of the signature algorithm you want to use. Example: Use 1.2.840.113549.1.1.10 for RSASSA-PSS. |
signAlgoParams | String | Algorithm-specific parameters applicable when using RSASSA-PSS signatures. Example: “MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg”. |
pin | String | Use the PIN you received in Sign with your digital ID email. |
numSignatures | Positive integer | Always use 1 in this field. Currently, the API can add only one signature at a time. |
image | File | Upload jpg/.jpeg image up to 4 MB. |
See response parameters below:
Key | Data type | Description |
|---|---|---|
file_name | String | Your filename prefixed with “signed-”. |
mime_type | String | image/jpeg. This parameter tells how to interpret the data. |
content_size | Int | Size of the encoded signed content (signed image) in bytes. |
encoded_signed_content | String: Base64 encoded | The signed image provided in Base64 format. Decode it using any online Base64 decoder to get the binary file of the image which can then be verified using Content Trust Manager. |
manifest_file | String: JSON format | The JSON file received under this parameter is the manifest which is embedded in the signed image. It includes the active manifest ID, the manifest with details such as the claim generator, file title, format, unique instance ID, and label. It also contains assertions like a CreativeWork entry with the author’s name and a cryptographic hash describing the file’s integrity. |
Send the request with cURL. Replace the following with your own parameters:
credentialId - Replace it with your user Certificate nickname.
pin - Replace it with the PIN you received in Sign with your digital ID email.
image-@ - Replace it with your image path. If you are using Postman, select a file from your device under the image parameter.
curl --location 'https://clientauth.demo.one.digicert.com/documentmanager/api/c2pa/v1/image/sign' \ --header 'Accept: application/json' \ --header 'Content-Type: application/json' \ --form 'credentialId="basic_np-14-08-2025-11-01-44-165"' \ --form 'hashAlgo="2.16.840.1.101.3.4.2.1"' \ --form 'signAlgo="1.2.840.113549.1.1.10"' \ --form 'signAlgoParams="MDSgDzANBglghkgBZQMEAgEFAKEcMBoGCSqGSIb3DQEBCDANBglghkgBZQMEAgEFAKIDAgEg"' \ --form 'pin="sha123"' \ --form 'numSignatures="1"' \ --form 'image=@"/Users/username/Documents/unsignedImage.jpg"' '
See example response below:
{
"file_name": "signed-4399.jpg",
"mime_type": "image/jpeg",
"content_size": 3598386,
"encoded_signed_content": "<a very long string which is your signed image data base64 encoded, truncated in this example for brevity> ",
"manifest_file": "{\n \"active_manifest\": \"urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8\",\n \"manifests\": {\n \"urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8\": {\n \"claim_generator\": \"Digicert_Content_Trust_Manager c2pa-rs/0.18.1\",\n \"title\": \"4399.jpg\",\n \"format\": \"image/jpeg\",\n \"instance_id\": \"xmp:iid:e7c6187e-785e-4939-93eb-d33fc37ff9f0\",\n \"ingredients\": [],\n \"assertions\": [\n {\n \"label\": \"stds.schema-org.CreativeWork\",\n \"data\": {\n \"@context\": \"https://schema.org\",\n \"@type\": \"CreativeWork\",\n \"author\": [\n {\n \"@type\": \"Person\",\n \"email\": \"shantanu.soni@digicert.com\",\n \"name\": \"Shantanu RajSoni\"\n }\n ]\n },\n \"kind\": \"Json\"\n },\n {\n \"label\": \"c2pa.hash.data\",\n \"data\": {\n \"alg\": \"sha256\",\n \"exclusions\": [\n {\n \"length\": 1800667,\n \"start\": 20\n }\n ],\n \"hash\": \"Zid6b41fQHefXtQcBilodph8IfTbM+0cz0RYJw1GxNI=\",\n \"name\": \"jumbf manifest\",\n \"pad\": \"<omitted>\"\n }\n }\n ],\n \"label\": \"urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8\"\n }\n },\n \"validation_status\": [\n {\n \"code\": \"claimSignature.mismatch\",\n \"url\": \"self#jumbf=/c2pa/urn:uuid:00849e5e-c3de-4ed9-8cbb-e0489d8480c8/c2pa.signature\",\n \"explanation\": \"claim signature is not valid\"\n }\n ]\n}"
} Success
HTTP Status Code: 200
Your request is acknowledged, and the signed image (base 64 encoded) is returned along with other metadata.
Errors
HTTP Status Code: 4xx
Indicates a client-side error, which may include issues with your request body, missing parameters, or problems with client authentication certificates.
HTTP Status Code: 5xx
Indicates a server-side error, which may include internal server failures, unhandled exceptions, or temporary issues preventing the server from fulfilling the request.
Define the correct HOST (clientauth.demo.one.digicert.com:443) where you add the client authentication certificate.
Mention the correct file path under the image parameter.
Use the correct pin and credentialId.
Ensure that your image is in .jpg/.jpeg format.
Ensure that your user certificate has an Active credential status. Contact support if it displays any other status.
To find descriptions of all endpoints in the Document Trust Manager REST API, example requests and responses, and details about parameters, visit the Swagger UI reference documentation.