How to Remove C2PA Content Credentials from Any Image (2026)
Published April 12, 2026
C2PA Content Credentials are what trigger Instagram's "Made with AI" label. They are not hidden. They are a deliberately designed standard for declaring AI-generated content, embedded at binary level by Adobe, OpenAI, Microsoft, Google, and others. Understanding exactly where they live in the file makes removing them straightforward.
This guide covers what C2PA is, which byte segments it occupies in JPEG and PNG files, why most metadata removers miss it entirely, and how StripShot strips it at binary level with zero quality loss.
What C2PA Content Credentials are
C2PA stands for Coalition for Content Provenance and Authenticity. It is a technical standard developed by a consortium that includes Adobe, OpenAI, Microsoft, Google, Meta, Intel, Arm, BBC, and Sony. The goal is to create a verifiable chain of custody for digital media: a signed certificate that declares where an image came from, which tool created it, and whether AI was involved.
When an AI generator embeds C2PA credentials, it creates a signed manifest containing a specific set of assertions:
- Generator assertion: Identifies the tool that created the image (e.g., Adobe Firefly, DALL-E 3).
- Signer identity: The cryptographic certificate of the organization that signed the manifest.
- Timestamp: When the image was created and signed.
- Soft binding: A content hash that links the manifest to the specific image pixels.
- Thumbnail: A low-resolution copy of the image embedded inside the credential block.
Adobe, OpenAI, Microsoft, Google, and Meta are all C2PA members. Platforms like Instagram and Facebook read these manifests and surface the contents as the "Made with AI" label.
Where C2PA lives in image files
This is the critical technical detail. C2PA does not live in the same location as EXIF data. Most metadata tools target APP1 (EXIF). C2PA is in APP11. Different byte marker, different position, different spec entirely.
| Format | Location | Detail |
|---|---|---|
| JPEG | APP11 (0xEB 0xFF) | JUMBF container. Completely separate from APP1 (EXIF). Standard EXIF strippers skip it entirely. Instagram still reads it. |
| PNG | caBX / caMs / caSt | Three ancillary chunk types before IDAT. caBX is the binary C2PA box, caMs is the manifest store, caSt is the C2PA store. |
| WebP | XMP packet | C2PA data is embedded inside the XMP packet within the WebP container. |
JPEG segment map:
FF D8
SOI (start of image)
FF E0 ...
APP0 (JFIF marker)
FF E1 ...
APP1 (EXIF data) <-- what most strippers target
FF EB ...
APP11 (C2PA JUMBF block) <-- what StripShot removes
Contains: generator assertion, signer cert, timestamp, thumbnail
FF DA ...
SOS (actual image data, never touched)
Tools that only strip APP1 leave APP11 completely intact. Instagram reads APP11. The label still appears. This is why a dedicated C2PA remover is necessary.
Which AI tools embed C2PA
| Tool | Embeds C2PA | Notes |
|---|---|---|
| Adobe Firefly | Yes | Always embedded. Cannot be disabled in standard Firefly exports. |
| DALL-E 3 / ChatGPT | Yes | Embedded in downloaded images via the ChatGPT image export path. |
| Microsoft Copilot Designer | Yes | Embedded by default. Microsoft is a founding C2PA consortium member. |
| Google ImageFX | Yes | Google joined C2PA and embeds credentials in ImageFX outputs. |
| Stable Diffusion | No | AUTOMATIC1111, ComfyUI, and Forge use PNG text chunks for prompt data, not C2PA. |
| Midjourney | No | Midjourney embeds prompts and seeds in EXIF/XMP but does not embed C2PA. |
| Flux via Replicate | Partial | ComfyUI-based Flux exports may include workflow data but not standard C2PA credentials. |
Why most metadata removers miss C2PA
The problem is that most metadata removal tools were built to handle EXIF data, which lives in the APP1 segment of a JPEG file (byte marker 0xFF 0xE1). They walk the segment chain, find APP1, and remove it. Done.
C2PA is APP11. The byte marker is 0xFF 0xEB. It is a completely different segment, at a different position in the file, under a different specification. A tool has to specifically implement C2PA segment detection to find and remove it. Most do not.
- Standard EXIF tools target 0xFF 0xE1 (APP1). C2PA is 0xFF 0xEB (APP11).
- The JUMBF container inside APP11 requires its own parsing logic.
- PNG C2PA chunks (caBX, caMs, caSt) use proprietary chunk type codes not covered by standard metadata specs.
- Tools that re-encode via canvas API may strip some metadata but also degrade quality and may preserve some metadata blocks.
StripShot specifically targets 0xEB (APP11) in JPEG files and all three PNG C2PA chunk types: caBX, caMs, and caSt. The implementation reads raw binary, not a re-encoded canvas.
How to remove C2PA at binary level
StripShot processes files as raw binary streams, not canvas re-encodes. Here is exactly what happens:
JPEG: scan APP marker chain
StripShot walks the JPEG segment chain starting from byte 2 (after SOI). It reads each APP marker and identifies the 0xEB byte that signals APP11.
JPEG: identify JUMBF container
Inside APP11, StripShot verifies the JUMBF (JPEG Universal Metadata Box Format) container header. This confirms it is a C2PA block and not an unrelated APP11 segment.
JPEG: strip APP11, reassemble
The APP11 segment is excluded from the output buffer. All other segments (APP0, remaining APP1 if desired, SOS image data) are preserved and reassembled into a valid JPEG.
PNG: scan chunk list
For PNG, StripShot reads the chunk sequence. Any chunk with type code caBX, caMs, or caSt is excluded. IHDR, IDAT, IEND, and all visual data chunks are preserved intact.
Zero pixel modification. The image data is byte-for-byte identical to the original. No JPEG compression is applied. No canvas re-encode. The result is a valid, clean file with the C2PA manifest gone.
Remove C2PA from your image now.
3 free/day · Binary-level APP11 targeting · No account
Drop images here or browse
Select files· JPEG, PNG, WebP · Up to 20 at once
Frequently asked questions
Does removing C2PA affect image quality?
No. Binary-level removal strips only the APP11 bytes. The image data (SOS segment onward) is identical. Unlike canvas re-encoding, no JPEG compression is applied.
Will removing C2PA stop the Instagram 'Made with AI' label?
Yes, if C2PA is the trigger. C2PA is the primary signal Instagram reads. If you strip APP11 before uploading, the credential is gone. Note: Instagram also has a visual classifier that may flag images independently of metadata.
Is removing C2PA legal?
Removing metadata from your own images is legal in virtually all jurisdictions. C2PA does not carry copyright protection. You are not altering the image content, only removing provenance data.
Does Stable Diffusion embed C2PA?
No. AUTOMATIC1111, ComfyUI, and Forge embed a PNG text chunk with prompt parameters, not C2PA. DreamStudio (Stability's hosted service) may embed C2PA. StripShot handles both.
How can I tell if my image has C2PA?
Drop it in StripShot. The detection panel shows if C2PA/APP11 is present. Alternatively, use Adobe's Content Credentials Verify tool at verify.contentauthenticity.org.