Sign an asset with a C2PA manifest
Embeds a C2PA manifest into a digital asset and signs it using a server-side cryptographic key. The asset is processed using memory-efficient streaming to temporary storage before signing.
This operation cryptographically links the asset to its provenance information, creating an immutable record of the asset's origin, authorship, and any processing history.
API Key provided by Que. Obtain your key from the developer dashboard.
In: header
The asset to sign, signing mode, manifest content, and optional processing limits.
A reference to a digital asset, either stored in S3 or accessible via URL. Files are streamed efficiently to temporary storage during processing to minimize memory usage.
An asset located in an S3 bucket that the Que service has access to. The service will stream the file from S3 to temporary storage during processing.
The name of the S3 bucket.
The object key (path) within the S3 bucket.
An asset accessible via HTTP/HTTPS URL. The URL must be enabled via the ALLOW_URL_ASSETS environment variable. The service will stream the file to temporary storage during processing.
The HTTP/HTTPS URL of the asset. Must be publicly accessible.
uriThe signing mode to use.
server_measure: The server streams the asset, calculates its hash, and embeds the manifest. Requiresmanifest_json. This is the primary signing mode.client_hash: The client provides the asset hash directly for offline signing. (Not yet implemented).
"server_measure" | "client_hash"JSON string containing the manifest to embed in the asset as a C2PA claim. This defines the provenance information and assertions about the asset. Required when mode is server_measure.
Configuration to add a CAWG identity assertion during signing. Presence of this object enables CAWG.
Whether to allow HTTP (non-HTTPS) URLs for remote manifest resources. Disabled by default for security.
falseOptional limits for processing operations to prevent resource exhaustion. These limits apply to the streaming and processing phases of asset handling.
Response Body
const body = JSON.stringify({ "asset": { "bucket": "que-assets-dev", "key": "uploads/photo.jpg" }, "mode": "server_measure", "manifest_json": "{\"title\":\"Original Photograph\",\"assertions\":[{\"label\":\"stds.schema-org.CreativeWork\",\"data\":{\"@context\":\"https://schema.org\",\"@type\":\"CreativeWork\",\"author\":[{\"@type\":\"Person\",\"name\":\"Jane Photographer\"}]}}]}"})fetch("https://dev-api.addque.org/v1/sign", { method: "POST", headers: { "Content-Type": "application/json" }, body}){
"assurance": "server_measured",
"evidence": {
"signer": "env_dev",
"alg": "ES256"
},
"asset_s3_uri": "s3://Que-signed-assets/uuid/signed.jpg"
}{
"type": "about:blank",
"title": "bad_request",
"status": 400,
"code": "bad_request",
"detail": "manifest_json is required when mode=server_measure"
}{
"type": "about:blank",
"title": "unauthorized",
"status": 401,
"code": "unauthorized",
"detail": "invalid API key"
}{
"type": "about:blank",
"title": "forbidden",
"status": 403,
"code": "forbidden",
"detail": "you do not have permission to perform this action"
}{
"type": "about:blank",
"title": "root operation failed",
"status": 422,
"code": "engine_c2pa",
"detail": "Unsupported manifest format"
}{
"type": "about:blank",
"title": "rate_limited",
"status": 429,
"code": "rate_limited",
"detail": "try again in 5000 ms",
"details": {
"try_again_in_ms": 5000
}
}{
"type": "about:blank",
"title": "internal_error",
"status": 500,
"code": "internal_error",
"detail": "unexpected panic in verification engine"
}