cred-route
Live AI media provenance signal registry (C2PA, SynthID, EXIF) with a public URL scanner. Paste a public image URL and see, in seconds, whether it carries detectable AI markers.
Live: holyai.me/cred-route
Why now
On May 19, 2026 OpenAI became C2PA-conformant and started embedding SynthID
watermarks in every image generated by ChatGPT, Codex, and the OpenAI API.
Kakao, ElevenLabs, and Nvidia joined the same day. Google Search and Chrome
announced native C2PA + SynthID detection. The Content Authenticity Initiative
now spans 100+ companies and Google DeepMind has watermarked over 100 billion
assets with SynthID.
For the three populations who care — content creators wondering whether their
image will be auto-flagged on Google or Meta, newsroom verification teams
triaging an inbound photo, and trust-and-safety engineers picking a library
for their upload pipeline — there is no single live index.
cred-route is that index, plus a public scanner.
What it does
- Scan an image URL (POST
/api/scan). The server fetches up to 12 MB of - the URL, scans the bytes for a C2PA manifest, parses EXIF / PNG text
- metadata, and returns a verdict:
AI-PROVENANCE-STRONG— a C2PA JUMBF manifest box was found.AI-METADATA-WEAK— EXIF Software / PNG CreatorTool references a known AI tool.HUMAN-CAMERA-EVIDENCE— EXIF Make/Model looks like a real consumer camera.NO-MARKERS— none of the above.- Track open-source tooling. GitHub Search is polled hourly for
- c2pa / synthid / content-credentials repositories. Org repos for
-
c2pa-organdcontentauthare listed every 6 hours. - Track provider announcements. A curated list of pages (OpenAI verify,
- DeepMind SynthID, CAI, Adobe, Meta, Google blog, C2PA conformance) is
- fetched every 6 hours and content-hashed. When a page changes, an event
- goes into the news feed.
- Track HN + arxiv. Hourly searches surface posts and papers as they
- appear, filtered for false-positive fuzzy matches.
What it does NOT do
- No cryptographic validation of C2PA signatures. We detect manifests
- and extract the producer string; for full chain-of-trust validation use
- Adobe's contentcredentials.org/verify.
- No SynthID detection. The detector key is held by Google DeepMind and
- is not publicly distributed.
- No auth. Every endpoint is public. Scanner endpoint is rate-limited
- (30/IP/hour, 200/day site-wide).
Data sources
| Source | URL | Frequency |
|---|---|---|
| HN Algolia | https://hn.algolia.com/api/v1/search_by_date | every 30 min |
| GitHub repo search | https://api.github.com/search/repositories | every hour |
| GitHub org repos (c2pa-org, contentauth) | https://api.github.com/orgs/.../repos | every 6 hours |
| arxiv API | http://export.arxiv.org/api/query | every 2 hours |
| c2pa-org/conformance-public | GitHub Contents API + raw markdown | every 12 hours |
| Provider announcement pages | curated list (see fetchers/provider-pages.js) | every 6 hours |
| Scanner inputs | user-submitted URLs via POST /api/scan | on demand |
Every datum traces to one of these. No seed arrays of provider names with
hardcoded "supports yes/no" cells; no Math.random.
Stack
- Node.js ≥ 18 (global
fetch) - Express 4
- better-sqlite3 (WAL mode)
- node-cron
- helmet + compression + morgan
- Vanilla JS SPA — no React, no build step
API
| Method | Path | Purpose |
|---|---|---|
| GET | /cred-route/health | liveness — { ok: true } |
| GET | /cred-route/api/summary | counts + last refresh per source |
| GET | /cred-route/api/generators | known generators |
| GET | /cred-route/api/platforms | verifier platforms |
| GET | /cred-route/api/tools | OSS tool catalogue |
| GET | /cred-route/api/events | news feed |
| GET | /cred-route/api/scans/recent | last 50 public scans |
| GET | /cred-route/api/scan/:id | one scan |
| POST | /cred-route/api/scan | scan an image URL, JSON body { url } |
| POST | /cred-route/api/refresh/:source | manual refresh trigger |
| GET | /cred-route/api/provider-pages | provider page hashes |
| GET | /cred-route/api/fetch-log | refresh history |
Setup
cp .env.example .env
npm install
npm start
# http://127.0.0.1:4854/cred-route/
ENABLE_CRON=false npm start skips the background scheduler.
License
MIT.