Original Pictures
React Native mobile capture and signing

C2PA React Native: Mobile Capture and Sign

Definition: The Original Pictures React Native integration lets a mobile app attach platform integrity signals to captured media and submit it for server co-signing, so mobile content carries provenance.

TL;DR: A React Native module gathers platform attestation (Play Integrity on Android, App Attest on iOS) and submits captured media for server signing. Full hardware-backed capture, with device keys and sensor binding, ships with the Q3 2026 capture app rather than as an SDK sold today.

What you can do in-app today

A React Native app can capture media, attach platform integrity attestation, and POST to the signing API for server co-signing, returning a manifest and verify URL. That covers mobile upload flows where the server establishes provenance.

Attestation signals

Play Integrity and App Attest let the server check that a submission came from a genuine app on a genuine device, helping detect emulators and replay. The signed receipt records that check alongside the manifest.

Hardware capture is Q3 2026

Device-key signing and sensor binding (GPS, IMU, barometer) at the moment of capture belong to the Original Pictures capture app on the Q3 2026 roadmap. Until then, the React Native path is capture-then-attest-then-server-sign, not an on-device hardware SDK.

Implementation

import { sign } from "@originalpictures/react-native";

const result = await sign({
  uri: photo.uri,
  attestation: await getPlatformIntegrityToken(), // Play Integrity / App Attest
  producer: "my-app",
  watermark: "trustmark",
  anchor: true,
});
console.log(result.manifest_url, result.verify_url);

FAQ

Is this a hardware-backed capture SDK?

Not today. Today it is capture plus platform attestation plus server signing. Hardware-backed capture with device keys ships with the Q3 2026 capture app.

Where Original Pictures stands today

Original Pictures ships three things today: a Sign API, a Verify API, and the SDKs that wrap them. One POST /v1/sign attaches a C2PA-format manifest, an invisible TrustMark watermark, and an OpenTimestamps anchor. The open-source verifier checks any of it without calling us.

Two things are on the near roadmap, and we name them as roadmap, not as shipped: C2PA Conformance Program recognition (target Q3 2026, until then our manifests use the published C2PA v2.2 format and any C2PA-aware validator can read them, but third-party validators will show our signer as not-yet-listed), and a consumer capture app (Q3 2026). We do not sell a capture SDK, and we do not claim Trust-List membership we do not yet hold.

Bottom line: Use the React Native path to attach attestation and server-sign mobile media now; add hardware-backed capture when the capture app ships in Q3 2026.

Related


Original Pictures is progressing through the C2PA Conformance Program; our signing certificate is not yet on the official C2PA Trust List. Target: Q3 2026. We will not describe ourselves as "C2PA-certified" until it is true.

Original Pictures provides content-provenance infrastructure. It does not by itself constitute legal compliance with the EU AI Act or any other regime; compliance depends on how you deploy it, your disclosures, and your governance. Figures are drawn from public reporting, verify against primary sources before citing in regulated materials. Nothing here is legal advice.

Last verified 2026-05-25. Author: Mahdi Kazempour, Founder, Original Pictures.