Compliance proxy for AI-generated media with C2PA watermarking and audit trails
Project description
synth-provenance-api
A compliance proxy for synthetic media generation—automatically inject C2PA credentials, watermarks, and audit trails into AI video/image APIs.
What is this?
synth-provenance-api is a FastAPI middleware that sits between your application and AI generation models (Replicate, HuggingFace, local deployments), transparently adding legal compliance and provenance metadata. It addresses the critical gap between rapid synthetic media adoption and EU AI Act Annex III enforcement (Q3 2026) by ensuring every generated image/video carries cryptographically signed content credentials, visible/invisible watermarks, and immutable audit trails.
Works as a drop-in HTTP proxy—no model retraining or client code changes required.
Features
- C2PA Content Credentials – Cryptographically signed provenance metadata (model info, generation parameters, timestamp)
- Dual Watermarking – Configurable visible overlays + invisible (LSB/DCT) watermarks resistant to compression
- Audit Trail – SQLite-backed logging of all generations (user, prompt, model, timestamp, outputs) with retention policies
- Multi-Provider Support – Proxy requests to Replicate, HuggingFace, or self-hosted models via single API
- Role-Based Access Control – API tokens with scoped permissions (generate, audit, admin)
- Compliance Reports – Export audit logs and watermark verification proofs as PDF for legal teams
- Production-Ready – Docker deployment, database migrations (Alembic), middleware security, error handling
Quick Start
Installation
# Clone the repository
git clone https://github.com/yourusername/synth-provenance-api.git
cd synth-provenance-api
# Create virtual environment
python -m venv venv
source venv/bin/activate # or `venv\Scripts\activate` on Windows
# Install dependencies
pip install -r pyproject.toml
# Copy environment template and configure
cp .env.example .env
# Edit .env with your API keys (Replicate, HuggingFace, C2PA signing cert)
Docker Deployment
docker build -t synth-provenance-api .
docker run -p 8000:8000 --env-file .env synth-provenance-api
Database Setup
# Run migrations
alembic upgrade head
Usage
Generate image with automatic watermarking & credentials
curl -X POST http://localhost:8000/api/generate \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-H "Content-Type: application/json" \
-d {
"prompt": "a serene landscape at sunset",
"model": "replicate:stability-ai/sdxl",
"watermark_type": "visible",
"watermark_opacity": 0.15
}
Response:
{
"id": "gen_abc123xyz",
"output_url": "https://cdn.example.com/output.png",
"c2pa_manifest": "eyJjbGFpbXMiOiBbeyJ0eXBlIjogIm1vZGVsIn1dLCJ0aW1lc3RhbXAiOiAiMjAyNC0wMi0xNVQxMDozMDoxNloifQ==",
"watermark_embedded": true,
"audit_id": "audit_def456"
}
Query audit trail
curl -X GET "http://localhost:8000/api/audit?user_id=user_123&limit=50" \
-H "Authorization: Bearer YOUR_API_TOKEN"
Export compliance report
curl -X POST http://localhost:8000/api/admin/export-report \
-H "Authorization: Bearer ADMIN_TOKEN" \
-d '{"start_date": "2024-01-01", "end_date": "2024-02-15"}' \
--output compliance_report.pdf
Tech Stack
- Framework – FastAPI (async, OpenAPI docs)
- Database – SQLite + Alembic (migrations)
- Watermarking – OpenCV, Pillow (visible & invisible)
- C2PA – c2pa-python library (content credentials)
- Auth – JWT tokens with role-based scopes
- Deployment – Docker, environment-based config
- Testing – pytest (see
tests/)
Configuration
All configuration via .env:
# API Keys
REPLICATE_API_KEY=your_key
HUGGINGFACE_API_KEY=your_key
# C2PA Signing
C2PA_PRIVATE_KEY_PATH=/etc/certs/private.pem
C2PA_CERT_PATH=/etc/certs/cert.pem
# Database
DATABASE_URL=sqlite:///./data/audit.db
# Watermark Defaults
WATERMARK_TEXT="Generated by AI - See credentials"
WATERMARK_OPACITY=0.12
# Audit Retention (days)
AUDIT_RETENTION_DAYS=365
License
MIT
Questions? Check OVERVIEW.md for architecture details or open an issue.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file synth_provenance_api-0.1.0.tar.gz.
File metadata
- Download URL: synth_provenance_api-0.1.0.tar.gz
- Upload date:
- Size: 16.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.25
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
ff05ce41418e4dcbcc6ed66cdc04b81439aaf31107d29242507e334dc86a02b3
|
|
| MD5 |
8cffc0861eb2a60c729479fc8fd32729
|
|
| BLAKE2b-256 |
8585e1440bd58153dbc017c122cc11c0437a5ab4f0f49707f530edfca25f4f0e
|
File details
Details for the file synth_provenance_api-0.1.0-py3-none-any.whl.
File metadata
- Download URL: synth_provenance_api-0.1.0-py3-none-any.whl
- Upload date:
- Size: 18.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.25
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
4540320f4c85e6bc3eff8389cb7dcf4a0d47e243645b36df6e0411d93356a509
|
|
| MD5 |
8fe8fbb1d6e082b2be7bed551ca747ba
|
|
| BLAKE2b-256 |
3155e1e19f39d524a5a27245f312626e42c5aa4302dc28ad149fb3ffa0fd5c03
|
