The open standard for establishing, maintaining, and preserving the authenticity and origin of any digital or physical asset.
No platform dependency. No proprietary tools. No expiration date. A developer can implement it in a day, verification works forever.
AIOSchema is a published open standard under CC-BY 4.0. Reference implementations in Python, TypeScript, Node.js, Go, and Rust. The standard uses its own mechanisms to prove its own provenance, the specification is hashed, signed, and anchored before every release.
{
"core": {
"asset_id": "019c7cb0-...",
"schema_version": "0.5.5",
"creation_timestamp": "2026-03-23T12:00:00Z",
"hash_original": "sha256-abc123...",
"core_fingerprint": "sha256-def456...",
"creator_id": "ed25519-fp-7fcc..."
}
}
Every manifest signed with your institutional key. Cryptographically links content to your organisation's identity.
Legally recognised timestamps under EU eIDAS. Independent of any clock you control. Verifiable by any third party.
Each content revision cryptographically linked to its predecessor. Unbroken chain of custody from creation to present.
Interoperates with the Coalition for Content Provenance and Authenticity standard. Works alongside existing infrastructure.
Open standard, Apache 2.0 reference implementations. Any organisation can verify without your involvement or permission.
No infrastructure to run. No account to create. The entire mechanism fits in a sidecar JSON file that travels with your asset.
Point AIOSchema at any file. It computes a SHA-256 hash of the original content and generates a UUID asset ID. Five fields. Sealed by mathematics at the moment of creation. No server involved.
Sign the manifest with your Ed25519 key to bind it to your identity. Add an RFC 3161 timestamp — legally recognised under EU eIDAS — to prove when it existed. Optionally anchor to Bitcoin via OpenTimestamps.
Anyone can verify the manifest against the asset using the open spec. No account. No vendor. No expiration. The hash either matches or it doesn't. The timestamp either holds or it doesn't. Mathematics does not expire.
EU AI Act Article 50 requires content provenance disclosure for AI-generated material. The enforcement deadline is August 2, 2026. Fines reach up to 6% of global annual turnover. There is no grace period, no opt-out, and no extension currently proposed.
EU AI Act · Article 50 · Transparency obligations
for providers of general-purpose AI systems.
AIOSchema is free, open, and ready to implement today.
Content provenance mandates are not proposals — they are active law in the EU, UK, and advancing across every major jurisdiction. Fines are calculated as a percentage of global revenue. There is no grace period after August 2026.
Requires transparency and provenance documentation for AI-generated content used in high-risk contexts. Applies to all organisations operating in EU member states. Article 50 deadline: August 2026.
Mandates content authenticity measures for platforms and publishers. Ofcom enforcement powers include significant financial penalties and senior manager personal liability.
Voluntary framework transitioning to mandatory obligations for high-impact AI systems. Government and NGO publishers among priority compliance targets from 2025.
Requires federal agencies and contractors to implement content provenance standards. State-level legislation advancing in California, Colorado, and others. California SB 942 now active.
Artificial Intelligence and Data Act establishes impact assessment requirements and transparency obligations for AI systems and AI-generated content across federal jurisdiction.
Every major jurisdiction is moving toward mandatory content provenance. The question is not whether compliance will be required — it is whether your organisation will be ready when it is.
Five reference implementations. One cross-verified conformance suite. Zero proprietary dependencies.
AIOSchema is read in one hour and implemented in one day — whether you are writing code, filing compliance reports, or signing your work.
Five reference implementations across Python, TypeScript, Node.js, Go, and Rust. Copy, adapt, ship. The Core Block is five fields. The spec is designed to be read in under an hour. No registration, no gatekeepers, no vendor calls. Apache 2.0, no strings.
Directly addresses EU AI Act Article 50 and California SB 942 disclosure requirements. RFC 3161 timestamps are legally recognised under EU eIDAS. Every manifest is independently verifiable — no vendor attestation required.
Establish provenance at the moment of creation. No account. No server. No expiration. The cryptographic record is sealed by mathematics — not by a platform that can be acquired, shut down, or paywalled.
The specification is open, the implementations are free, and the standard is ready. Everything you need to establish content provenance is available right now — no account, no licence, no waiting.