Back to Lens

Trust and Credentials

Content Credentials

Lens attaches verifiable capture evidence to every signed photo and video, so viewers can understand where media came from and whether it changed.

What this means

A Content Credential tells people who captured the file, when it was captured, and whether its integrity still holds. It is your evidence trail, not just metadata.

What Lens proves

Each signed capture carries a compact evidence chain. Verification tools can inspect this chain without relying on Lens-specific infrastructure.

Origin

The file was captured in Lens on a specific enrolled device.

Integrity

Edits or tampering become detectable through hash validation.

Trusted time

When available, a TSA timestamp anchors capture time externally.

Capture context

Optional context such as location and app version supports audits.

Protocol stack

Lens uses open standards and hardware-backed signing so credentials remain portable, inspectable, and tamper-evident.

C2PA Manifest

Open provenance standard that packages capture evidence and assertions into an inspectable manifest.

ES256 + Secure Enclave

Hardware-backed signing key generated on-device. The key is non-exportable and bound to your iPhone.

Trusted Timestamp (RFC 3161)

When online, Lens requests an external TSA timestamp to establish trusted capture time in the provenance chain.

NTP Drift Guard

Device time is checked against trusted network sources to prevent spoofed capture times.

SHA-256 Integrity Hash

Hash-based integrity checks make edits or tampering visible to verification tools.

JUMBF Container

Structured metadata container used to embed C2PA manifests directly in media files.

Operational status

Preview is already useful in production capture workflows, with additional trust infrastructure in progress.

Live today

  • Secure Enclave key generation and enrollment
  • Photo signing for JPEG captures
  • Video signing for MOV and MP4 captures
  • Trusted timestamp flow when network conditions allow
  • Guided Trust state signaling in capture UI

In progress and planned

  • C2PA conformance audit
  • CA-verified certificate issuance
  • C2PA trust list inclusion

How users read credentials

Lens follows progressive disclosure so users can understand trust quickly and auditors can inspect full detail when required.

  1. L1 signal: Capture HUD indicates credential presence while recording.
  2. L2 summary: Verification surfaces the key assertions and warnings first.
  3. L3 inspection: Full manifest details remain available for legal or forensic review.