FAQ

What is AIOSchema?

AIOSchema is an open, technology-agnostic standard for cryptographic content provenance. It provides a minimal metadata layer that proves when something was created, by whom, and that it hasn’t been tampered with. Think of it as a universal digital notary.

How is AIOSchema different from C2PA?

AIOSchema and C2PA are complementary, not competing. C2PA is a comprehensive content authenticity framework with a focus on media pipelines and hardware-rooted trust. AIOSchema is a lightweight provenance layer that can embed inside a C2PA manifest as a custom assertion, or operate independently where C2PA is not available.

Key differences:

• AIOSchema’s Core Block has zero key dependency — Level 1 verification requires no keys, no certificates, no infrastructure
• AIOSchema is designed for implementation in a day, not weeks
• AIOSchema works for any asset type, including physical-to-digital scans and documents
• AIOSchema uses sidecar manifests that survive metadata stripping

What does “implement in one day” mean?

A developer familiar with JSON, SHA-256, and basic cryptography can read the specification in under an hour and produce a working Level 1 implementation (hash verification, canonical JSON, core fingerprint) in a single day. The reference implementations demonstrate this — the standard deliberately uses only widely-available cryptographic primitives.

What are the compliance levels?

• Level 1 — Core: Hash-based integrity verification. No keys required. Valid indefinitely.
• Level 2 — Signed: Level 1 plus Ed25519 digital signatures and creator identity.
• Level 3 — Anchored: Level 2 plus cryptographic timestamping via Bitcoin (OpenTimestamps) or RFC 3161.

Is AIOSchema free to use?

Yes. The specification is licensed under CC-BY 4.0 (attribution required). Reference implementations are Apache 2.0. There are no licensing fees, no royalties, and no vendor lock-in.

What about privacy?

AIOSchema is privacy-preserving by design. The creator_id field is a one-way derivation from a public key — it does not contain or reveal any personal information. No personal data is required in the Core Block. Pseudonymous use is fully supported.

What regulatory requirements does AIOSchema address?

AIOSchema is designed to support compliance with:

• EU AI Act Article 50 (content labeling, effective August 2, 2026)
• California SB 942 (AI-generated content disclosure)
• UK Online Safety Act (content authenticity)
• Australian content labeling frameworks

How do I verify an AIOSchema manifest?

Level 1 verification requires only:

1. Read the manifest JSON
2. Recompute the hash of the original file
3. Compare against hash_original in the manifest
4. Recompute core_fingerprint from the Core Block fields
5. Compare against the stored fingerprint

No keys, no network calls, no specialized tools. A client-side verifier is available at /verify/.

Where are the reference implementations?

Reference implementations are available in Python, TypeScript, Node.js, Go, and Rust. Source code is available at github.com/aioschema/aioschema.

How do I get involved?

AIOSchema is currently in technical preview. To stay informed:

• Watch the GitHub organization
• Follow @aioschema on X
• Contact support@aioschema.org

---

Read the specification → Get started →