Content Signals & C2PA: Controlling AI Usage
With the Content-Signal directive and C2PA you control how AI systems may use your content — three categories, four policies, an EU rights reservation.
by Jean Pierre Kolb ·
Content Signals give you a standardized way to declare how automated systems may use your content — more granular than the simple Allow/Disallow of robots.txt. As more and more AI crawlers comb the web, this answers a question that was long open: not only whether but for what a bot may use your site. Content Signals is Cloudflare's implementation of a new Content-Signal directive. This article complements the technical GEO side — the matching frame comes from Structured Data and Technical GEO.
The three Content-Signal categories
The Content-Signal directive works with three categories, each set to yes or no. It cleanly separates classic search, AI training and real-time AI usage:
| Signal | Meaning |
|---|---|
ai-train | Training or fine-tuning AI models on your content |
search | Building a search index and showing results (links and short excerpts) — not AI-generated summaries |
ai-input | Feeding content into AI models in real time (e.g. RAG, grounding or AI search answers) |
An example in robots.txt:
User-Agent: *
Content-Signal: ai-train=no, search=yes, ai-input=no
Allow: /Two delivery methods: robots.txt or HTTP header
The same preference can be emitted two ways — via robots.txt or as an HTTP response header with identical key=value grammar. The header is useful where a site-wide robots.txt line is too coarse: for individual URLs, for non-HTML resources such as PDFs or images, and for signals injected at the CDN edge.
Content-Signal: ai-train=yes, search=yes, ai-input=yesBoth methods are equivalent and may be combined. Because setting a preference is voluntary, the SEO & GEO Analyzer reads Content Signals from both sources and surfaces them as an informational signal, without counting them toward the score.
Four default policies
Four predefined policies cover the most common cases — from fully blocked to fully open:
- Disallow All — Most restrictive. No access for any purpose; may cause search engines to exclude your site.
- Allow Search Only — Permits search indexing and results, but no AI training and no AI input.
- Allow Search & AI Input — Permits search and real-time AI usage (such as AI search answers), but no model training.
- Allow All — Permits search, AI input and AI training.
Beyond that, Content Signals support path-specific rules (e.g. /blog/ for search only, /about for everything) and user-agent targeting (different rules for different bots).
Why this matters for GEO
Content Signals are a strategic GEO tool because they decouple visibility from protection. You can allow ai-input — citations in AI search answers — while blocking ai-train: maximum visibility without giving away your content as training data. Four points make the lever:
- Strategic visibility — Get cited deliberately without surrendering training data.
- Content control — Declare your AI preferences explicitly instead of hoping AI companies respect informal requests.
- EU rights reservation — Content Signals include an explicit reservation of rights under Article 4 of EU Directive 2019/790 (Copyright in the Digital Single Market).
- Early adoption — As more AI systems honor Content Signals, an early, clear permission record becomes more valuable.
C2PA: provenance, not just permission
Where Content Signals govern how your content may be used, C2PA — the Coalition for Content Provenance and Authenticity — tackles the other direction: it proves where content came from and whether it was altered. Through cryptographically signed metadata (Content Credentials), the provenance of an image or document can be demonstrated. For GEO this is the logical complement to authority: making provenance verifiable provides a trust signal that AI systems are likely to treat as proof of authenticity in future. Both standards are young, and their adoption is still growing.
How to generate your Content Signals
The easiest way to produce the robots.txt block is the Content Signals Generator: pick one of the four default policies, customize per category and copy the output straight into your robots.txt. The background is explained in the Cloudflare blog on the Content Signals Policy.
FAQ
Does a Content-Signal directive force AI crawlers to obey?
No, it is a declaration, not a technical enforcement. As with robots.txt, the effect depends on a crawler respecting the directive. The value lies in clarity and legal backing: with the EU rights reservation under Article 4 you document an explicit declaration of intent — and create a basis you can invoke.
Does setting signals hurt my AI visibility?
That depends on what you set. Block everything wholesale and you risk vanishing from search and AI answers. The GEO-friendly variant is differentiated: allow search=yes and ai-input=yes — which keeps you citable — and block only ai-train as needed. That way you steer usage without sacrificing visibility.
Do I need C2PA if I only publish text?
Rarely essential today, sensible in perspective. C2PA shows its strength above all with images, video and audio, where authenticity and manipulation become an issue. For plain text, verifiable authority — author pages, schema, transparent sourcing — weighs more heavily today. Still, watch the development, because provenance proofs will gain importance as a trust signal.
Further reading
The technical GEO base and crawler management are in Structured Data and Technical GEO. The frame of the series comes from the GEO pillar What is GEO?. Why authority and trust signals count is shown in E-E-A-T and Brand Authority. Check your robots.txt and headers with the SEO & GEO Analyzer.