
C2PA Next.js Integration: Sign Every Upload in 12 Lines
Definition: The Original Pictures Next.js integration wraps the signing API in a server route so developers can add C2PA manifest generation, identity assertion, watermarking, and anchoring to any upload handler without exposing API keys to the client.
TL;DR: In the Next.js App Router, a server route receives an upload, streams it to the signing API, and returns a manifest URL, with the API key living only on the server. The core is about a dozen lines of TypeScript.
Why server-side signing
Calling the signing API from the browser would expose your API key in DevTools. A server route keeps the key in the server environment: the client sends bytes, the server signs, the client gets back a manifest URL and verify link. That separation is the whole security argument.
The implementation
A POST route reads the form data, validates the file and size, calls the SDK with your producer name, identity assertion, watermark, and anchor flags, and returns the result. The client posts a FormData upload to the route and reads the manifest and verify URLs from the response.
Production hardening
Enforce size limits at the edge; Vercel's default body limit is small, so stream large files directly with a presigned session. Use the file's SHA-256 as an idempotency key to avoid double-charging on retries. Map the SDK's timeout, validation, and rate-limit errors to 504, 422, and 429. Use the Node runtime, not Edge, for crypto.
The incident behind this
The Pentagon hoax of May 2023 is the reminder that generated content needs provenance at the API boundary, before it is distributed, which is exactly where a signing route sits.
Implementation
// app/api/sign/route.ts import { OriginalPictures } from "@originalpictures/sdk"; import { NextRequest, NextResponse } from "next/server"; export async function POST(req: NextRequest) { const form = await req.formData(); const asset = form.get("file") as File; if (!asset || asset.size > 50 * 1024 * 1024) return NextResponse.json( { error: "File required, max 50MB" }, { status: 400 }, ); const op = new OriginalPictures({ apiKey: process.env.OP_API_KEY!, timeout: 30000, }); const result = await op.sign({ asset, producer: (form.get("producer") as string) || "nextjs-app", identity: { type: "cawg.x509.cose" }, watermark: "trustmark", anchor: true, }); return NextResponse.json({ manifest: result.manifest_url, verify: result.verify_url, }); }
FAQ
Does this work with the Pages Router?
Yes. Use a standard API route in pages/api. The SDK is isomorphic.
Can I run it on Vercel Edge?
Use the Node runtime. The SDK needs Node crypto, so set runtime to nodejs, not edge.
Where Original Pictures stands today
Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.
Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.
Bottom line: A Next.js server route is the most secure, minimal way to add signing to any upload: a dozen lines, no client-side secrets, full marking coverage.
Related
Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.
Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.
Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.