Contents
The simplest way to add Content Credentials to a photo is the free Adobe Content Authenticity web app, which signs the file with your verified identity and your preferences, and you can also add them from inside Photoshop or Lightroom, or, if you write code, with the open-source c2patool. All three routes produce the same thing: a cryptographically signed manifest bound to your file. Which one to use comes down to whether you want a no-cost web tool, an editor you already own, or a scriptable command line.
The free web app
Adobe’s Content Authenticity web app is the lowest-friction option, and it does not require an Adobe subscription. It adds Content Credentials to images, audio, and video, and it can do so in bulk. What you can attach goes beyond a bare signature: a verified name or identity, a website and social accounts (Behance, Instagram, LinkedIn, X), and a generative-AI training preference, a “do not train” signal that travels with the file (Adobe Content Authenticity, 2025).
Be clear about what that last field is. It is a preference, not an enforcement mechanism. A Content Credential records what you assert and signs that record; it does not force a downstream model trainer, platform, or editor to obey the preference. What it gives you is a signed, portable, machine-readable statement of your intent, which is a precondition for anyone to honour it, not a guarantee that they will.
What “durable” means here
Adobe describes the credentials it applies as durable, “leveraging a combination of secure metadata, invisible watermarks, and digital fingerprinting technology, so your Content Credentials will remain connected to your work even if the metadata is removed or if someone takes a screenshot” (Adobe Content Authenticity, 2025). Under the hood every Content Credential is a SHA-256 content hash wrapped in an x509-signed manifest (C2PA Specification v2.4), and because a hash has no inverse, the first changed byte invalidates the hard binding, which is 100 percent invalidation on any real edit. The durable version answers that fragility by adding a soft binding, “one or more soft bindings that enable discovery in a manifest repository” (Content Credentials Technical Whitepaper, 2025), a fingerprint or watermark that lets a stripped file be matched back to its record.
That genuinely defends against accidental loss on upload. It does not defend against someone who wants the credential gone, because the watermark layer it relies on is removable: Zhao, Zhang and Wang show pixel-level invisible marks fall to generative regeneration (NeurIPS 2024), and the SynthID team note that metadata is “often stripped accidentally and can also be trivially removed” (Gowal, Bunel, Stimberg, 2025). A durable credential is durable against accident, not against intent.
From inside Photoshop or Lightroom
If you already edit in Adobe’s tools, you can sign on the way out instead of making a separate trip. Photoshop attaches credentials from its Content Credentials (Beta) panel on Export As, and Lightroom applies them from the export dialog under Custom Settings. The full click paths, the publish-to-cloud versus attach-to-file choice, and the JPEG-only gotcha in Lightroom are covered in Content Credentials in Photoshop and Lightroom. The mechanism is identical to the web app; only the entry point differs.
The developer path
If you want to script it, the Content Authenticity Initiative publishes the open-source c2patool, which adds and reads the same manifests the Adobe apps use (Content Authenticity Initiative). This is the route for a publishing pipeline that needs to sign thousands of assets without a human in the loop, and what it writes reads back with the same verifier covered in How to verify Content Credentials.
Which route to pick
For most creators the web app is the right default: add a verified identity and the accounts you want tied to the work, record your training preference if you want that assertion attached, and keep one unchanged exported copy, because the untouched original is the version most likely to verify cleanly later. If you already finish in Adobe tools, add the credential at final export and choose attach and publish to cloud when it is offered, so the recipient gets a direct manifest and the verifier still has a recovery path if the embedded copy is stripped. If you are building a pipeline, use c2patool and verify the output before you ship. Whichever route you take, check the result yourself afterwards rather than assuming the credential attached.
What the credential you add actually says
One last framing, so you attach one for the right reason. Signing a photo records and cryptographically seals your claim about it: who made it, with what, and what edits were applied. It does not make the claim true. A valid credential proves the record is intact, not that the content is honest, which is why the first independent security analysis of the standard concluded that “C2PA provides provenance signals, not proof of authenticity” (Golaszewski, Krawetz, Sherman, 2026). Added to your own work, a Content Credential is a strong, portable statement of authorship and intent, the do-not-train preference included, and that is exactly what it is good for. For what the credential is in the first place, see What is C2PA / Content Credentials?.
Sources
- Golaszewski, Krawetz, Sherman, et al. (2026). Verifying Provenance of Digital Media: Why the C2PA Specifications Fall Short. arXiv:2604.24890.
- Zhao, Zhang, Wang (2024). Invisible Image Watermarks Are Provably Removable Using Generative AI. NeurIPS.
- Gowal, Bunel, Stimberg, et al. (2025). SynthID-Image: Image Watermarking at Internet Scale. arXiv:2510.09263.
- Adobe (2025) Adobe Content Authenticity web app. Available at: https://contentauthenticity.adobe.com/ (Accessed: 3 July 2026).
- Content Authenticity Initiative (no date) c2patool. Available at: https://opensource.contentauthenticity.org/docs/c2patool/ (Accessed: 3 July 2026).
- Coalition for Content Provenance and Authenticity (C2PA) (2025) Content Credentials: C2PA Technical Whitepaper. Available at: https://c2pa.org/wp-content/uploads/sites/33/2025/10/content_credentials_wp_0925.pdf (Accessed: 3 July 2026).
- Coalition for Content Provenance and Authenticity (C2PA) (2026) C2PA Technical Specification, version 2.4. Available at: https://spec.c2pa.org/specifications/specifications/2.4/specs/C2PA_Specification.html (Accessed: 3 July 2026).