Original Pictures
Cloudflare Worker signing at the edge

C2PA Cloudflare Integration: Edge Signing with Workers

Definition: The Original Pictures Cloudflare integration runs a Worker that calls the signing API at the edge and works alongside Cloudflare's manifest-preserving image pipeline.

TL;DR: Cloudflare serves a large share of web traffic and preserves C2PA through transforms. A Worker that signs at the edge, or forwards to origin signing, plus Cloudflare's preservation gives sign-then-serve provenance with no manifest loss.

Sign at the edge

A Cloudflare Worker can intercept an upload or image request, call the signing API, and return the signed asset. This pushes signing close to the user and keeps origin servers simple, useful for image-heavy sites.

Preserve through transforms

Cloudflare's image pipeline keeps C2PA metadata through resizing and format changes rather than stripping it. Pairing edge signing or origin signing with that preservation means the manifest survives optimization end to end.

Origin plus edge

Sign at the origin for full identity and anchor support, then let Cloudflare preserve the manifest through delivery. The Worker handles edge cases like late signing or verification badges.

Implementation

export default {
  async fetch(req, env) {
    const form = await req.formData();
    const res = await fetch("https://api.originalpictures.com/v1/sign", {
      method: "POST",
      headers: { Authorization: `Bearer ${env.OP_API_KEY}` },
      body: form,
    });
    return new Response(res.body, { headers: res.headers });
  },
};

FAQ

Does Cloudflare strip my manifest?

No. Cloudflare's image transforms preserve C2PA metadata, which is why edge or origin signing plus Cloudflare delivery keeps provenance intact.

Where Original Pictures stands today

Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.

Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.

Bottom line: Run a Worker to sign at the edge or forward to origin signing, and rely on Cloudflare's preservation so the manifest survives delivery.

Related


Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.

Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.

Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.