watermarking.media
Ownership

Does ChatGPT watermark its images?

By The watermarking.media team
5 min read
Contents

Yes, and twice: every image ChatGPT generates carries C2PA Content Credentials metadata identifying it as made by GPT-4o, and since May 2026 it also carries Google DeepMind’s SynthID invisible watermark embedded in the pixels (OpenAI, 2026). One mark lives in the file’s metadata, the other lives in the pixels themselves, and they are there for different reasons. Here is what each layer is, why OpenAI ships both, and the things neither one proves.

Layer one: C2PA Content Credentials

The older layer is metadata. Since early 2024, OpenAI has attached C2PA Content Credentials to the images it generates, first for DALL-E 3 and now for GPT-4o image generation (OpenAI, 2026). C2PA is container-level provenance, not a pixel watermark: a cryptographically signed manifest stored in the file’s metadata that records the generating model and tags the digital source type as trainedAlgorithmicMedia, the C2PA standard’s label for AI-generated content. The binding is strong while the file is intact. The Content Credentials Technical Whitepaper (2025) describes a hard binding that “ties the Manifest to the asset itself, ensuring that any changes to the asset will invalidate the Manifest”.

The weakness is structural and well known: because the manifest rides in metadata, any pixel-touching edit or re-encode that does not carry it forward strips it. A screenshot, a re-save, or an upload through a platform that discards metadata leaves the image looking exactly the same with no credential at all. A verifier then returns one of three readouts: a valid credential, an invalidated binding when the content hash no longer matches (positive evidence the file changed after signing), or no manifest, which is silent and indistinguishable from a file that never had one. That silent case is precisely the gap the second layer is meant to cover.

Layer two: SynthID in the pixels

Since May 2026, OpenAI also embeds Google DeepMind’s SynthID invisible watermark in the pixels of images from ChatGPT, the OpenAI API, and Codex, and it joined the C2PA steering committee at the same time (OpenAI, 2026). SynthID is a post-hoc, model-independent spectral mark that a matching decoder reads back, calibrated to a 0.1 percent false-positive rate, and Google reports it “has been used to watermark over ten billion images and video frames” across its services (Gowal, Bunel & Stimberg, 2025). This is why “does ChatGPT use SynthID” is now a yes even though SynthID is Google’s technology: OpenAI adopted it. The mark is no longer Google-only; it is embedded by a growing list of providers that now includes both Google and OpenAI.

Why two marks

The two layers cover each other’s blind spot. OpenAI’s own explanation puts it plainly: “C2PA helps content carry detailed context; SynthID helps preserve a signal when metadata does not survive” (OpenAI, Advancing content provenance, 2026). The manifest carries a full, readable provenance history but is fragile, since metadata is easily stripped. The watermark carries only a small payload and no readable edit history, but its “signal is part of the image itself and may persist through some edits or transformations” (OpenAI, Advancing content provenance, 2026). Metadata gives you the detail; the pixel mark gives you the durability. This is also why the C2PA vs SynthID question is not winner-takes-all: the stronger design is layered, and neither alone is enough.

What the two marks do not prove

Both layers tell you something real, and neither is a truth oracle. A ChatGPT image with a valid C2PA credential is still an AI-generated image with a signed origin statement, not a verified depiction of reality, and the silent no-manifest case means the absence of Content Credentials on an image that claims to be from ChatGPT proves nothing on its own.

SynthID has its own ceiling. The design is scoped to make black-box attacks “computationally infeasible at scale” rather than to defeat “a determined white-box adversary” (Gowal, Bunel & Stimberg, 2025), and Zhao, Zhang & Wang (NeurIPS 2024) prove that pixel-additive marks of its class are removable by generative regeneration. So a ChatGPT image regenerated through another model can lose its SynthID mark while staying visually identical. The framing is the one Golaszewski, Krawetz & Sherman give in Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short (2026): “C2PA provides provenance signals, not proof of authenticity”. The same caution holds for the watermark. Presence is informative. Absence is close to neutral.

Check it yourself

You do not have to take the marks on faith. OpenAI’s Verify tool reads both signals from an uploaded image, reporting Content Credentials and SynthID together (OpenAI, 2026). For the metadata layer alone, Content Credentials Verify (CAI Verify) reads the C2PA manifest (Content Credentials Technical Whitepaper, 2025).

For the step-by-step on the pixel mark, see How to check if an image has SynthID. For the wider “which of my images are marked, and by what” question, see Is my AI image watermarked?.

Sources

#chatgpt#openai#synthid#c2pa#watermarking