For information on support tiers for CI tests, see Support tiers for C2PA Rust SDK products
The Coalition for Content Provenance and Authenticity (C2PA) addresses the prevalence of misleading information online through the development of technical standards for certifying the source and history (or provenance) of media content. The C2PA Rust library is part of the Content Authenticity Initiative open-source SDK.
For the best experience, read the docs on the CAI Open Source SDK documentation website.
Join the Content Authenticity Initiative to connect with a global community advancing the movement for content transparency, get access to the latest ecosystem news, attend events, and access the CAI brand kit to share your involvement.
Join the CAI Discord to connect with other implementers, ask questions about the CAI open-source tools, and receive expert guidance on how to build with the C2PA standard.
You can also read the documentation directly in GitHub:
-
Using the embeddable API that provides explicit control over how a C2PA manifest is embedded into an asset.
-
C2PA Tool documentation:
-
C API: Interface that you can use to integrate with any application that uses C or interfaces with C libraries.
The c2pa crate implements a subset of the C2PA technical specification and the CAWG identity assertion specification in the Rust programming language.
The library enables a desktop, mobile, or embedded application to:
- Create and sign C2PA claims and manifests.
- Create, sign, and validate CAWG identity assertions in C2PA manifests. See Using the CAWG identity assertion for more information.
- Embed manifests in supported file formats.
- Parse and validate manifests found in supported file formats.
- Share configuration efficiently across multiple operations and threads through contexts using
Arc<Context>.
The library supports several common C2PA assertions and hard bindings.
For details on what you can do with the library, see Using the Rust library.
This library also provides a C API that you can use to integrate with any application that uses C or interfaces with C libraries.
This is a beta release (version 0.x.x) of the project. We govern changes by whether they break compatibility, not by size:
- Additive changes (new APIs, bug fixes) ship quickly on the current release train as patch releases (the
yin0.x.y). - Breaking changes are batched onto a scheduled "release train" that runs roughly every two months and bumps the middle number (
0.x.0). If no breaking changes are queued when a train is due, it is skipped — so a bump of the middle number is a reliable signal that something actually broke.
This lets us keep moving quickly before 1.0 while giving you a predictable schedule for migrations. For full details, see the release process and deprecation policy.
mainis the active development branch. It's always "green" (it compiles and passes CI), but its public API is not stable — it may contain unreleased or feature-gated work that changes at any time — and it is never published to crates.io. Build frommainonly if you want to preview upcoming work and can tolerate churn.stabletracks the most recent crates.io release and is where published releases come from. Olderv0.xbranches are retained for retired release lines. If you depend onc2pa, use a released version from crates.io (which comes fromstable) rather than pinning tomain.
Every change lands on main first and is then brought onto stable for release, so main is always the superset of what has shipped.
Note
The library supports C2PA v2 claims by default, and implementations should not generate deprecated v1 claims. For details, see C2PA v2 claims.
The current release API replaces old methods of reading and writing C2PA data, which are deprecated. See the release notes for more information.
The library uses a Context structure to configure C2PA operations, replacing the older global Settings pattern:
- Thread-safe configuration: Context is
Send + Syncand can be safely shared across threads usingArc<Context> - Multiple configurations: Unlike global settings, you can have multiple Context instances with different configurations
- Backwards compatible: All existing Settings (JSON/TOML) files work unchanged with Context
- Automatic signer creation: Signers are created automatically from settings when needed
See Configuring SDK settings for details.
Install Rust and Cargo
To use the CAI Rust library, you must install Rust and Cargo.
Minimal supported Rust version (MSRV): The c2pa crate requires Rust version 1.88.0 or newer. When a newer version of Rust becomes required, a new minor (0.x.0) version of this crate will be released.
Install C build tools
Install the C build tools for your development platoform"
- macOS: XCode with command-line tools
- Windows: Microsoft Visual C++ (MSVC)
The easiest way to build the library is by using the Makefile.
To build unit tests, use this command:
make test
To build the binary libraries, use this command:
make release
Add the following line to your Cargo.toml:
c2pa = "<VERSION_NUMBER>"
Where <VERSION_NUMBER> is the latest version of the crate as shown on crates.io.
We welcome contributions to this project. For information on contributing, providing feedback, and about ongoing work, see Contributing. For additional information on testing, see Contributing to the project.
The c2pa crate is distributed under the terms of both the MIT license and the Apache License (Version 2.0).
Some components and dependent crates are licensed under different terms; please check their licenses for details.