# Verifieddit Help / FAQ

> Frequently asked questions about C2PA content credential verification on verifieddit.com.

## What is C2PA?

The **Coalition for Content Provenance and Authenticity** (C2PA) is the open technical standard for cryptographic content credentials. A C2PA credential is a signed manifest embedded in a media file that declares:

- What capture or creation tool produced the file (camera, AI generator, editor)
- Who signed it
- What ingredients (source assets) were used
- Whether AI generation was involved
- When the signature was applied

Verifieddit reads these credentials in your browser and validates the signature against a trust list of known certificate authorities.

## Is my file uploaded anywhere?

**No.** All cryptographic verification happens in WebAssembly inside your browser. The file never leaves your device.

The only exception: if you opt in to **AI content detection** for images that have no C2PA credentials, the image hash and (for some checks) the image bytes are sent to our server-side AI detector. This is opt-in per session.

## What does each badge state mean?

See the [full glossary](/c2pa-glossary.md) for the long form. Short version:

- **Trusted (green)** — signed by a known issuer, content unchanged since signing
- **Valid (amber)** — signed and unchanged, but the signer is not in the trust list
- **Invalid (red)** — signed but the content has been changed since signing
- **Unsigned (grey)** — no C2PA credentials at all

## Why does my photo from my Google Pixel show as "Valid" instead of "Trusted"?

Because Google Pixel devices currently self-sign their C2PA credentials. The signature is cryptographically valid and the photo has not been modified since the camera captured it — but Google's self-signed certificate is not in the current trust list, so the signer's identity cannot be independently verified.

This is expected and common with modern capture devices. The photo is genuinely from the device that signed it.

## What about videos? What codecs are supported?

Verifieddit reads C2PA credentials from MP4, MOV, AVI, and WebM containers. The browser also needs to be able to decode the video to extract metadata (duration, dimensions, codecs). If the browser cannot decode the video — HEVC on non-Apple, AV1 on older browsers, exotic codecs — verification will time out at 20 seconds with a "codec may be unsupported" message.

## How do I share a verification result?

After verifying a file, click **Share Badge**. You get:

- A PNG badge showing the verdict, filename, hash, signer, and a QR code
- HTML + Markdown embed snippets
- A permanent `ddit.wtf/<id>` short URL (requires sign-in for a permalink, otherwise the badge is preview-only)
- A signed proof page at `verifieddit.com/proof/<uuid>` with the full verification record

## Does Verifieddit issue C2PA credentials?

**No.** Verifieddit only verifies. Content credential issuing at scale — for publishers, content platforms, EU AI Act compliance — happens at the paired enterprise domain [trusteddit.com](https://trusteddit.com/?utm_source=verifieddit&utm_medium=help-md&utm_campaign=issuing).

## Is the source code open?

Yes — MIT licensed at [github.com/Sanmarcsoft/verifieddit-www](https://github.com/Sanmarcsoft/verifieddit-www).

## Who runs this?

[SanMarcSoft](https://sanmarcsoft.com) — based in Vienna, Austria; EU jurisdiction. See [/privacy](/privacy) and [/gdpr](/gdpr) for data handling.