Frequently Asked Questions

Everything you need to know about how TrueCapture works.

Example: News Agencies

  • Integrate the SDK with their mobile app
  • A reporter opens the mobile app on site to capture live photos or videos
  • TrueCapture automatically signs photos and videos using the ECDSA key stored securely on the device
  • The signing is designed to support offline signing, allowing capture in remote locations. The photo or video would never leave the device — all signing happens locally
  • The URL shows Signed by NewsAgencyName — TrueCapture's work happens quietly on the backend, with the frontend completely owned by the Agency
  • The News Agency can verify the authenticity of the captured photo or video immediately
  • Any editing done through C2PA-compliant software such as Adobe adds another link to the Authentic tag, showing Edited by NewsAgencyDesk — brightness, contrast [with edit logs] — to preserve credibility
  • Any attempts to alter the content, such as merging with another file, will break the signature and upon verification show No Data Found
  • Download the Chrome extension on browser, or open the mobile web app at truecapture.global/sign on Safari or Chrome
  • Capture the photo or video live
  • The file is temporarily sent to TrueCapture servers to digitally sign the file, then returned to you signed as Signed by TrueCapture along with a verification link. No data is stored — the file is deleted from TrueCapture servers immediately
  • Individuals can also fork the project to sign each file themselves and not use TrueCapture servers
  • The verification link can be shared publicly as part of a caption to allow anyone to check the authenticity of the file

We do not collect personal information. When you sign a file, the media is sent to our signing server, cryptographically signed, and returned to you. We store only the file hash and verify link — not the file itself, not your name, not your email, not your IP address.

See our Privacy Policy for more information.

When organisations download an SDK, the file can be signed locally and never leave the device. When individuals use the web app, Web Crypto API restrictions in Safari's security model prevent storing and using a private key reliably across sessions in a web browser.

iOS Safari restricts web pages from reading files from the Downloads or Files app. This is an Apple security restriction we cannot work around in a web browser.

On mobile, use the verify link shared alongside the file — tap it and the verdict loads instantly with no upload needed. Desktop browsers support full file upload verification.

Yes, this is possible in the SDK version. The SDK spec is available on GitHub — the entire SDK can be developed and deployed based on organisational requirements.

ECDSA P-256 is the key algorithm adopted under the globally championed C2PA standard. It is important that this effort is interoperable to ensure widespread usage.

In the SDK, the private key is generated on-device and stored in the device's secure hardware chip (Secure Enclave on iOS, Android Keystore on Android). It never leaves the device. In the web app or Chrome extension, the private key is held securely on TrueCapture's signing server. Files are signed and returned to you immediately. No file content is stored.

Yes, this is possible through the SDK. It is also possible when users fork the project and deploy their own instance. Instructions are available on our GitHub under DEPLOY_YOUR_OWN.md.

It's not possible through a login option at the web app layer because TrueCapture does not have the ability to verify the identity of individuals and institutions across the world, particularly as AI-forgery of static images becomes easier. This is also why TrueCapture only allows signing of live images or videos at the point of capture itself.

Yes — this is exactly why the verify link matters. Share the link in your caption alongside the post. Even if the platform strips the manifest from the file, the link always points back to the original signed record. The proof lives at the link, not in the file copy on social media.

DeDi is a public registry used to store the public key of the signer so that anyone may click on the verification link accompanying each file and check for its authenticity. Read more at DeDi.global.

As AI advances, if an individual is able to install deepfake software on their laptop or mobile such that their face is altered even within a live recording (to impersonate a famous personality or similar), this tool will not be able to detect it. TrueCapture signs live photos and videos — but if the live file itself is compromised at capture time, the tool cannot detect that.

The file's C2PA manifest is self-contained. The public key is on DeDi's decentralised network. Anyone who has the original signed file can verify it independently using any C2PA-compatible tool, even if TrueCapture no longer exists.

The power of this tool is not in its code as much as it is in the architecture, tech stack, and integrations that CDPI developed to address a critical problem. The tool is available for free — you can download and test it. The code is also open source, so you can review it yourselves before considering it for your organisational requirements.

Feel free to reach out to us at tanushka@cdpi.dev for any queries, collaboration ideas, or bugs!