AI / LLM
SynthID: How Google Watermarks AI Content
A team ships a generative AI product in 2024. Within weeks, screenshots of its output circulate with no obvious way to tell what is real and what is not. Provenance becomes everyone's problem at once: regulators, publishers, courts, and the engineering team that shipped the model.
SynthID is Google DeepMind's answer to that problem. It is not a detector that guesses whether arbitrary content is AI-generated. It is a watermark embedded at generation time by Google's own models, and read back by a matching detector. As of Google I/O 2025, more than 10 billion pieces of content carry the signal, the text version is open source on Hugging Face, and a public detector portal is rolling out to journalists and researchers.
This article walks through what SynthID actually does, how the text version works in detail (it is genuinely clever), where each modality lives today, and the limitations the academic literature has been clear about. The intention is to understand the system, not to grade it.
What SynthID is
SynthID is a family of invisible, in-content watermarks. Same name, four different algorithms, one detector portal.
- SynthID-Image perturbs pixels in the spatial frequency domain at generation time.
- SynthID-Audio embeds a watermark in the spectrogram of generated audio, in regions humans cannot hear.
- SynthID-Video applies the image watermark to every frame of a generated video.
- SynthID-Text biases the LLM's token sampling toward a key-seeded pseudo-random pattern.
The unifying property: the watermark is in the content itself, not in the metadata. Cropping, screenshotting, lossy compression, and mild edits, the standard things that strip a C2PA manifest on upload to a social platform, do not destroy the signal within the limits the literature has established.
The detector returns one of three states: watermarked, possibly watermarked, or not watermarked. Crucially, "not watermarked" does not mean "human-made." It only means "no SynthID signature was found." If the content came from OpenAI, Midjourney, Black Forest Labs, or a locally finetuned Llama, SynthID has nothing to say about it.
Timeline
| Date | Event |
|---|---|
| Aug 2023 | Launch on Vertex AI for Imagen. Image-only, beta. |
| Nov 2023 | Audio support added with the Lyria music model. |
| Feb 2024 | Google joins the C2PA steering committee. |
| May 2024 | I/O 2024: text (Gemini) and video (Veo) added. Open-source SynthID-Text announced. |
| Oct 2024 | Nature paper published; Hugging Face Transformers v4.46 integration shipped. |
| May 2025 | I/O 2025: SynthID Detector portal launched. Veo 3, Imagen 4, Lyria 2 watermarked by default. Over 10 billion pieces of content marked. |
| Oct 2025 | SynthID-Image paper posted to arXiv. |
| Feb 2026 | Lyria 3 launches in Gemini with SynthID. |
Two things are worth noticing about the trajectory. First, SynthID started as a Vertex AI feature, became a default on every consumer Google generative product, and ended up open source in one modality. Second, Google's framing has steadily moved from "we have launched a watermark" toward "this is one layer in a larger provenance stack." The C2PA membership and the explicit pairing with Content Credentials are the architectural admission.
How SynthID-Text actually works
The text version is the most technically interesting piece and the only one with a peer-reviewed paper, so it earns the longest section.
The setting
An LLM generates text one token at a time. At each step, the model produces a probability distribution P_LM over the vocabulary, and a sampler picks a token. SynthID-Text replaces the sampler. Nothing about training, the logits, or the temperature changes.
Tournament sampling
flowchart TD
LM[LLM step t produces P_LM] --> CAND[Candidate tokens drawn from P_LM]
CAND --> L1[Layer 1: pairwise g-value compare]
L1 --> L2[Layer 2: winners advance]
L2 --> Lm[Layer m: final winner]
Lm --> OUT[Emit token]
K[Watermark key plus rolling context] -.PRF.-> L1
K -.PRF.-> L2
K -.PRF.-> Lm
At each generation step, candidate tokens compete in m layers of pseudo-random elimination. The winner at each layer is decided by a g-value: a Bernoulli(0.5) bit produced by a pseudo-random function seeded by three things.
- A secret watermarking key, a list of integers, one per layer. The open-source release uses around 30.
- The candidate token id.
- A rolling context of the previous few tokens (the default is the previous four).
Each layer pairs candidates and advances the one with the higher g-value at that layer. After m layers, one token is emitted.
The key property is in the marginals. Because candidates are drawn i.i.d. from P_LM and each layer only re-orders i.i.d. samples, the expected marginal distribution of the emitted token equals P_LM. There is no logit perturbation. The model never knows the watermark is happening.
Across many tokens, though, the emitted sequence is systematically enriched in tokens with high g-values for that specific (key, context) seed. The detector knows the key, computes the same g-values, and checks whether the sequence's g-values are higher than chance.
Detection
Detection is just statistical scoring, with no LLM inference required. The detector:
- Receives the candidate text and the watermarking key.
- Recomputes g-values for every token using the same PRF.
- Averages those g-values (mean detector) or runs them through a small learned classifier (Bayesian detector).
- Returns one of three states based on configurable thresholds.
The Nature paper reports TPR around 85% at FPR = 1% on 400-token outputs from Gemma 7B-IT with m = 30, roughly 12 points above the prior state of the art. AUC approaches 1.0 on the standard 200-token benchmark.
The cost on the generation side is small: plus 0.57% latency on Gemma 7B-IT with the 30-layer tournament, after integration with speculative decoding. On the detection side it is effectively free: a server can scan billions of strings with just a hashing PRF and a tiny classifier.
Why distortion-free matters
Earlier text-watermarking schemes shifted the model's distribution. Kirchenbauer et al. at Maryland (2023) split the vocabulary into "green" and "red" lists and add a fixed bias delta to green-list logits. That works, but it provably reduces output quality on tasks where the right answer is rigid (factual short answers, code).
SynthID-Text is distortion-free in expectation at the per-token marginal: the emitted token is statistically indistinguishable from a normal P_LM sample. Google ran a live A/B test on roughly 20 million Gemini conversations comparing watermarked and unwatermarked responses; there was no statistically significant difference in user ratings (thumbs-up rate, smaller-panel quality scores). This is why Gemini users did not notice anything change when the watermark was switched on.
The paper offers a distortionary mode too, where candidates are drawn differently to produce a stronger signal at the cost of measurable distribution drift. Most production traffic stays in the non-distortionary regime.
Open source
The reference implementation lives at google-deepmind/synthid-text. The production-friendly integration is in Hugging Face Transformers v4.46.0 and later.
from transformers import (
AutoModelForCausalLM,
AutoTokenizer,
SynthIDTextWatermarkingConfig,
)
tokenizer = AutoTokenizer.from_pretrained("google/gemma-7b-it")
model = AutoModelForCausalLM.from_pretrained("google/gemma-7b-it")
watermarking_config = SynthIDTextWatermarkingConfig(
keys=[654, 400, 836, 123, 340, 443, 597, 160, 57, 178, 401, 902, ...],
ngram_len=5,
)
prompts = tokenizer(["Tell me a story."], return_tensors="pt", padding=True)
out = model.generate(
**prompts,
watermarking_config=watermarking_config,
do_sample=True,
)
print(tokenizer.batch_decode(out, skip_special_tokens=True))
A separate BayesianDetectorModel ships with an end-to-end training script. A hosted demo is at huggingface.co/spaces/google/synthid-text.
How the non-text modalities work
SynthID-Image
Two networks trained jointly. An embedder perturbs the pixels of a generated image. A detector reads the perturbation back. The signal is spread across the spatial-frequency domain rather than the least-significant bits or the metadata; that design choice is what makes it survive JPEG compression, Instagram filters, color grading, screenshots, and moderate crops.
The detector is trained adversarially against common removal attempts, so attacks that try to strip the watermark tend to also degrade the image visibly. The October 2025 arXiv paper (Gowal et al.) documents a 136-bit payload at 512x512 resolution and robustness across roughly 30 transformations.
The model weights and code are proprietary. Only SynthID-Text is open sourced.
SynthID-Audio
The audio model converts a generated waveform to a spectrogram, embeds the watermark in spectrogram values inside psychoacoustic masking regions (frequencies the ear is least sensitive to at that moment), then inverts back to a waveform. The result is mathematically present but inaudible.
It survives MP3 encoding, additive noise, tempo and speed changes, and partial clipping. The detector reports which segments of the audio carry the watermark, useful when only part of a track is AI-generated.
In production, SynthID-Audio runs on Lyria 2 and Lyria 3, MusicFX, and NotebookLM Audio Overviews. It applies to both AI-generated music and AI-generated speech in Google's first-party products. The model is proprietary.
SynthID-Video
Despite Google's framing about "building on image and audio," SynthID-Video is the image watermark applied per frame. Each frame carries the full image-domain signal, so any retained frame is detectable; the detector aggregates across frames to localize the watermark temporally (which seconds of a clip are watermarked).
That choice makes the system robust to lossy video re-encoding (H.264 / H.265), frame-rate changes, screen recording, and frame extraction. The corollary: heavy stylization or content-aware warping degrades the watermark the same way it degrades the underlying image watermark.
Veo 3, announced at I/O 2025, additionally carries a visible "Veo" watermark in the lower right corner. Google's framing of the visible mark is a "first step" while the detector portal is still gated.
The SynthID Detector portal
Announced at Google I/O 2025, the SynthID Detector is a web portal where a user uploads a file and the system reports whether it carries a Google SynthID watermark, and which regions of the content do.
- All four modalities are supported; image and audio at launch, text and video shortly after.
- Three-state output: watermarked, possibly watermarked, not watermarked.
- Waitlist-gated access for journalists, fact-checkers, media professionals, and academic researchers. Reported approval times are two to fourteen days.
- A partnership with GetReal Security integrates SynthID detection alongside other deepfake-forensic signals.
The most important sentence Google publishes about the portal: "not watermarked" does not mean "human-made." It only means "no Google signature found." SynthID has nothing to say about non-Google outputs.
Limitations
The academic literature is unusually clear on this. Five concrete failure modes are worth knowing.
1. Strong paraphrasing breaks text watermarks
Zhang et al. (Watermarks in the Sand, ICML 2024) proved an impossibility result: under reasonable assumptions, no watermarking scheme survives a computationally bounded attacker armed with a quality oracle (another LLM). Empirically, detection rates of state-of-the-art schemes drop below 0.3 after a single GPT paraphrasing pass. Independent SynthID-Text robustness studies (arXiv 2508.20228) confirm the pattern: back-translation and full paraphrasing degrade detection significantly.
2. Watermarks can be stolen and forged
Jovanović, Staab, Vechev (Watermark Stealing in LLMs, ICML 2024) reverse-engineered state-of-the-art watermarks by querying APIs. They reported roughly 80% spoofing success and 85% scrubbing success for under $50 in API calls. The forging side is the more dangerous one: an attacker can frame human-written disinformation as "SynthID-verified Gemini output."
3. Image watermarks fall to UnMarker
Kassis and Hengartner (UnMarker, IEEE S&P 2025) demonstrated a universal black-box spectral attack that removes roughly 79% of SynthID image watermarks without access to the detector or knowledge of the scheme. The structural argument: any robust invisible watermark must embed energy in predictable spectral bands; a generic spectral attack will eventually find them.
4. Single-vendor coverage
SynthID only marks Google output. Llama, Qwen, DeepSeek, Stable Diffusion, Midjourney, ElevenLabs, Black Forest Labs: none of them carry SynthID. Open-source models give attackers white-box access to the decoding process, so even if a watermark were applied to an open-source model, the attacker could simply disable it. This is the existential limitation of any single-vendor scheme.
5. Low-entropy content has nowhere to hide a watermark
The Nature paper is explicit. When the model is near-deterministic, "The capital of France is Paris," code with one correct completion, short factual answers, there is no probability mass for the tournament to exploit. SynthID-Text drops the watermark on these tokens. Which is exactly the high-stakes case (medical, legal, news) where provenance matters most.
The analogous failure for SynthID-Image is low-information regions: pixel art, line drawings, near-uniform images. Less detail, less room for spectral perturbation.
The honest framing
Even Scott Aaronson, who designed OpenAI's earlier text watermark, calls watermarking an "endless cat-and-mouse game" (Shtetl-Optimized, Feb 2024). OpenAI declined to ship his version; the Wall Street Journal reported in August 2024 that internal data suggested watermarking reduced ChatGPT engagement by around 30% in user surveys. Google's choice to ship SynthID is partly an architectural one (it is genuinely lower-distortion than the alternatives) and partly a strategic one (regulatory and reputational pressure under the July 2023 White House commitments and the EU AI Act).
The strongest case against watermarking-as-the-solution: it is mathematically fragile (paraphrasing), operationally fragile (stealing and forging), structurally fragile (single-vendor), and politically dangerous. The political risk is the liar's dividend: once the public believes watermarks exist, authentic content can be dismissed as "probably AI," and spoofed watermarks carry false authority. The Nature editorial accompanying the SynthID paper put it directly: "AI watermarking must be watertight to be effective."
SynthID and C2PA: the layered stack
Two systems get conflated. They solve different problems.
flowchart TD
GEN[Google generative model] --> SID[SynthID embedder]
GEN --> C2P[C2PA manifest signer]
SID --> CONTENT[Output: pixels, audio, text, frames]
C2P --> META[Signed metadata sidecar]
CONTENT --> NET[Open internet]
META -.often stripped on upload.-> NET
NET --> DETSID[SynthID Detector]
NET --> DETC2P[C2PA verifier]
NET --> CLF[Classifier-based detectors]
DETSID --> JURY[Provenance verdict]
DETC2P --> JURY
CLF --> JURY
| SynthID | C2PA Content Credentials | |
|---|---|---|
| What it is | Invisible signal in the content | Cryptographically signed metadata manifest |
| Lives where | In the pixels, spectrogram, or token distribution | In a sidecar or EXIF-like attachment |
| Survives stripping | Yes (it is the content) | No (most social platforms strip metadata) |
| Survives heavy editing | No (paraphrase, stylize, regenerate) | Invalidated by edits, can be re-signed |
| Cryptographic guarantees | No (statistical) | Yes (PKI-signed) |
| Cross-vendor coverage | No (Google only) | Yes (Adobe, OpenAI, Microsoft, Sony, BBC) |
| Primary failure mode | Erodes under edits and paraphrase | Stripped on upload |
Google joined the C2PA steering committee in February 2024. The two systems are explicitly complementary: SynthID handles "the content was edited but the signal survives." C2PA handles "the content has a verifiable origin if the manifest is intact." Production provenance pipelines combine both, plus classifier-based detectors, plus visible labels.
The EU AI Act, Article 50, requires generative AI providers to mark outputs in a machine-readable format that is "effective, interoperable, robust and reliable." The European Commission's 2026 Code of Practice explicitly says no single technique meets all four criteria. The legal answer is the multilayered stack, not SynthID alone.
The shape of the recommendation
Three takeaways for someone building or evaluating an AI product in 2026.
- Use SynthID where it is free and default. If you generate with Google models (Gemini, Imagen, Veo, Lyria) on the consumer apps or Vertex AI, every output is already watermarked. There is no integration cost. The watermark is one piece of evidence in your provenance pipeline.
- Do not rely on it as a deepfake detector. SynthID identifies Google content, not "AI content." A regulator, journalist, or product surface that interprets "not watermarked" as "human-made" is making a mistake the system was never designed to support.
- Pair invisible watermarks with cryptographic metadata. C2PA signed manifests, SynthID invisible signal, classifier-based detectors, visible labels for high-stakes surfaces. The watermark covers the case where metadata is stripped; the metadata covers the case where the content is heavily edited.
The technically interesting part of SynthID is the algorithm. Tournament sampling is genuinely elegant: a watermark that does not move the model's marginal distribution and that can be detected without running the model. The honest part is the framing. This is one layer in a stack, not the solution. The trajectory of Google's own messaging, from "we launched a watermark" in 2023 to "we are a C2PA member integrating multiple signals" in 2026, is the most accurate summary of where the field actually is.
References and Good Reads
Primary sources
- Dathathri et al. Scalable watermarking for identifying large language model outputs. Nature 634:818-823, October 2024. The SynthID-Text paper.
- Gowal et al. SynthID-Image: Image watermarking at internet scale. arXiv 2510.09263, October 2025.
- Google DeepMind. SynthID. The canonical product page.
- Google DeepMind. Identifying AI-generated images with SynthID. The August 2023 launch post.
- Google DeepMind. Watermarking AI-generated text and video with SynthID. The May 2024 expansion post.
- Google. SynthID Detector: a new portal to help identify AI-generated content. The May 2025 detector portal announcement.
Implementation
- google-deepmind/synthid-text on GitHub. Reference implementation in JAX.
- Hugging Face. Introducing SynthID Text. Integration with Transformers.
- SynthID-Text live demo on Hugging Face Spaces.
- Google. SynthID developer documentation in the Responsible Generative AI Toolkit.
Attack and limitation literature
- Zhang et al. Watermarks in the Sand: Impossibility of Strong Watermarking for Generative Models. ICML 2024.
- Sadasivan et al. Can AI-Generated Text Be Reliably Detected?. 2023.
- Jovanović, Staab, Vechev. Watermark Stealing in Large Language Models. ICML 2024.
- Kassis, Hengartner. UnMarker: A Universal Attack on Defensive Image Watermarking. IEEE S&P 2025.
- Robustness Assessment and Enhancement of Text Watermarking for Google's SynthID. 2025.
- Gloaguen et al. Towards Watermarking of Open-Source LLMs. 2025.
Standards and governance
- C2PA. Content Credentials whitepaper.
- Google. How Google and the C2PA are increasing transparency for gen AI content.
- European Commission. Code of Practice on AI-generated content.
- Nature editorial. AI watermarking must be watertight to be effective. November 2024.
Critical commentary
- Scott Aaronson. Updatez!. Shtetl-Optimized, February 2024.
- MIT Technology Review. It's easy to tamper with watermarks from AI-generated text.
- MIT Technology Review. Google DeepMind is making its AI text watermark open source.
- IEEE Spectrum. The Universal AI Watermark Remover.
