AI Metadata RemoverAI Metadata RemoverFree · 100% local · lossless

How AI Image Watermarking Actually Works: C2PA, SynthID and Pixel-Level Marks

June 12, 2026 · 8 min read

When people hear "AI image watermark," most of them picture a logo stamped in a corner. That's one version of it — and honestly, it's the least interesting one. The systems that actually decide whether Instagram slaps an "AI info" label on your photo, or whether a newsroom can trace an image back to DALL-E, work in completely different ways. Some live in the file's metadata. Some live in the pixels themselves. And they have wildly different answers to the question everyone eventually asks: can this be removed?

I keep seeing these three technologies lumped together in coverage as if they were interchangeable, and they really aren't. So let's take them apart one at a time.

The three approaches at a glance

Every AI-marking scheme in use today falls into one of three buckets:

  • Metadata-attached provenance — a signed record travelling inside the file, next to the pixels. C2PA Content Credentials are the flagship example.
  • Invisible pixel-domain watermarks — a statistical pattern woven into the pixel values themselves. Google's SynthID is the best-known.
  • Visible marks and labels — anything a human can see: the old DALL-E colored bar, or a platform badge that says "Made with AI".

Each one makes a different trade-off between robustness, privacy and verifiability. None of them is "the" AI watermark.

C2PA manifests: provenance that rides along in the metadata

C2PA — the Coalition for Content Provenance and Authenticity — is the standards effort backed by Adobe, Google, Microsoft, OpenAI, Meta, the BBC and Sony, among others. When a C2PA-aware tool creates or edits an image, it embeds a manifest: a structured, cryptographically signed record stored in a dedicated container (a JUMBF box, if you want the spec term) inside the JPEG or PNG. The manifest says things like "this image was generated by DALL-E 3 on this date" or "this photo was captured on this camera and then cropped in Photoshop," and each claim is signed with a certificate so tampering is detectable. The full spec lives at c2pa.org, and we've written a longer deep dive on C2PA and Content Credentials if you want the byte-level details.

The signing is genuinely clever. You can't forge a valid manifest claiming an image came from OpenAI, because you don't have OpenAI's signing key. If someone edits the pixels and leaves the old manifest in place, verification fails, because the manifest contains a hash of the image data.

But here's the part most guides get wrong, or quietly skip: the manifest lives in metadata, not in the pixels. It's a passenger, not part of the image. Any tool that rewrites the file without the metadata — including our own AI photo metadata remover, but also plenty of ordinary image pipelines that were never designed with C2PA in mind — leaves you with a perfectly ordinary image and no manifest at all. Re-saving in some editors does it. Uploading to many platforms does it. A screenshot obviously does it.

C2PA can prove where an image came from. It cannot prove where an image didn't come from. A missing manifest is not evidence of anything.

The C2PA designers know this, which is why the spec talks about "durable" Content Credentials — pairing the manifest with a watermark or a fingerprint lookup so the provenance can be re-attached later. But as shipped in most tools today, the manifest alone is exactly as removable as any other metadata block.

SynthID: the watermark you can't see and can't strip

Google's approach, developed at DeepMind, goes the other direction entirely. SynthID doesn't attach anything to the file. Instead, it makes tiny, coordinated adjustments to pixel values across the whole image — changes calibrated to be invisible to the human eye but detectable by a paired classifier model. Google embeds it in images from Imagen and Gemini, and has extended the same idea to audio, video and text.

Because the signal is spread through the image content itself, it survives things that would obliterate metadata: JPEG compression, resizing, moderate cropping, color filters, even a screenshot. That's the whole point. And it means something worth stating plainly, since we run a metadata-removal site: no metadata tool — ours included — can remove SynthID. Stripping EXIF, XMP and C2PA data from a Gemini-generated image does nothing to the watermark, because the watermark isn't in any of those places. It's in the picture.

SynthID has its own limitations, though, and they're mirror images of C2PA's. There's no public verifier you can point at an arbitrary image; detection requires Google's own detector, which it exposes through its products and to select partners. Detection is probabilistic, not a certainty — heavy editing, extreme crops or aggressive re-generation can degrade the signal until the detector shrugs. And it only marks content from Google's models. A SynthID check can't tell you anything about an image from Midjourney, because Midjourney never embedded one.

So where C2PA is open, inspectable by anyone, and fragile, SynthID is closed, verifiable by almost no one, and robust. Pick your poison.

Visible marks: the colored bar and the platform label

The third category is the oldest and simplest. Early DALL-E images shipped with a signature strip of five colored squares in the bottom-right corner — yellow, turquoise, green, red, blue. It was a nice bit of branding and a terrible watermark: one crop and it's gone. OpenAI made it optional and then moved on; DALL-E 3 output in ChatGPT carries no visible mark at all, relying on C2PA metadata instead.

The modern descendants of the colored bar are platform labels. Meta rolled out "AI info" labels across Facebook, Instagram and Threads starting in 2024, TikTok tags AI-generated content, and YouTube requires creators to disclose realistic synthetic media. These labels are often triggered by the invisible signals — a platform reads the C2PA manifest or an IPTC DigitalSourceType tag on upload and decides to show a badge. But the label itself lives in the platform's database, not in the file. Download the image and the label doesn't come with it. Screenshot the post and you get the label as pixels, which proves nothing to a verifier.

Visible marks are for humans scrolling a feed. They're the only approach a casual viewer will ever actually notice, and the easiest one to fake or remove. Fair enough — that's the job they were built for.

Who uses what, as of mid-2026

The big labs have mostly picked lanes, and the lanes are revealing:

  • OpenAI embeds C2PA manifests in DALL-E and GPT-image output (it started with DALL-E 3 in early 2024), and has been candid that the metadata "can easily be removed either accidentally or intentionally." Credit for the honesty.
  • Google belts-and-braces it: SynthID in the pixels plus IPTC/C2PA-style metadata in the file, across Imagen, Gemini and its consumer products.
  • Adobe attaches Content Credentials to everything Firefly touches and builds C2PA reading and writing into Photoshop and Lightroom.
  • Meta mostly consumes rather than produces: it reads C2PA and IPTC signals on upload and converts them into visible "AI info" labels on the post.
  • Microsoft signs Bing Image Creator and Designer output with C2PA manifests.

There's also a regulatory push behind all of this. The EU AI Act's Article 50 transparency obligations — which require providers to mark AI-generated content in a machine-readable way — become applicable on August 2, 2026, which is a large part of why every major lab suddenly cares about about watermarking at the same time.

Side by side: what survives what

This is the comparison that actually matters when you're reasoning about a specific image:

ApproachWhere it livesSurvives metadata stripping?Survives screenshots?Who can verify it
C2PA manifestMetadata container inside the fileNo — removed entirelyNoAnyone, with open tools
IPTC AI tag (e.g. DigitalSourceType)Metadata field inside the fileNoNoAnyone with a metadata viewer
SynthIDThe pixel values themselvesYes — unaffectedYes, usuallyGoogle and select partners only
Visible mark (old DALL-E bar)Visible pixels in a cornerYesYes, until croppedAny human, unreliably
Platform "AI" labelThe platform's databaseNot in the file at allOnly as pixelsViewers of that platform

Read that middle column carefully. It's the reason no serious person in this field claims metadata-based provenance is tamper-proof, and it's the reason Google spent years on a pixel-domain approach despite also backing C2PA.

What this means in practice

If you're trying to figure out whether an image is AI-generated, check the metadata first — it takes ten seconds in a photo metadata viewer and a valid C2PA manifest is strong positive evidence. Just don't treat an empty result as an all-clear. The image may have been generated by a tool that marks nothing, or the manifest may have been stripped somewhere along the the way, deliberately or by some platform's image pipeline that never gave it a thought.

If you're on the other side of the transaction — you have legitimate reasons to publish an image without broadcasting which tools you used, which account generated it, or when — then know exactly what stripping metadata does and doesn't do. It removes C2PA manifests, IPTC tags, EXIF and XMP blocks completely. It does not touch SynthID or any other pixel-domain watermark, and we'd be lying to you if we said otherwise. For Google-generated images, assume the watermark stays with the picture for its whole life.

The uncomfortable truth of the whole field is that the removable watermark is the one everyone can check, and the durable watermark is the one almost nobody can. Until "durable Content Credentials" actually ship at scale, that's the trade we're all living with.

AI Metadata Remover

See what your image is carrying

Drop a photo into the free viewer and inspect its C2PA, EXIF and XMP data right in your browser.

Open the metadata viewer