
C2PA AWS Integration: Lambda and S3 Signing Pipeline
Definition: The Original Pictures AWS integration uses an S3 event to trigger a Lambda that signs each uploaded object through the API and writes the signed asset to a destination bucket.
TL;DR: Drop a file into an S3 bucket, an event triggers a Lambda, the Lambda calls the signing API, and the signed asset lands in a signed bucket. It is the standard event-driven pattern, applied to provenance.
Event-driven signing
An S3 ObjectCreated event invokes a Lambda for each new object. The Lambda fetches the object, calls the signing API, and writes the signed result to a destination bucket. No polling, no servers to manage, and it scales with upload volume.
Why enterprises use it
Large platforms already run on S3 and Lambda. Slotting signing into that pipeline means provenance is added with infrastructure the team already operates, and IAM roles keep the API key out of application code via Secrets Manager.
Throughput and cost
Lambda concurrency scales to spikes, and signing batches the timestamp step, so high-volume buckets sign at line rate. Anchoring aggregates daily, keeping per-object cost negligible.
Implementation
import boto3, urllib3, os http = urllib3.PoolManager() s3 = boto3.client('s3') def handler(event, _ctx): for rec in event['Records']: b, k = rec['s3']['bucket']['name'], rec['s3']['object']['key'] obj = s3.get_object(Bucket=b, Key=k)['Body'].read() r = http.request('POST', 'https://api.originalpictures.com/v1/sign', headers={'Authorization': f"Bearer {os.environ['OP_API_KEY']}"}, fields={'asset': (k, obj), 'watermark': 'trustmark', 'anchor': 'true'}) s3.put_object(Bucket=f'{b}-signed', Key=k, Body=r.data)
FAQ
Where does the API key live?
In AWS Secrets Manager, read by the Lambda execution role. It never sits in code or environment files in the repo.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: Use an S3 event to trigger a Lambda that signs each object, adding provenance with the event-driven infrastructure your team already runs.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.