Skip to content

contentauth/c2pa-mcp

BranchesTags

Repository files navigation

c2pa-mcp

MCP server for reading Content Credentials (C2PA) from images and media using the official c2pa Rust SDK.

Validates against the official C2PA trust list and the Interim Trust List (ITL), fetched at startup so trust decisions are always current.

Install

Claude Desktop: Download the .mcpb bundle for your platform from the latest release and double-click to install.

macOS / Linux:

curl -fsSL https://raw.githubusercontent.com/contentauth/c2pa-mcp/main/install.sh | sh

Windows (PowerShell):

irm https://raw.githubusercontent.com/contentauth/c2pa-mcp/main/install.ps1 | iex

To install to a custom directory:

INSTALL_DIR=~/.local/bin curl -fsSL https://raw.githubusercontent.com/contentauth/c2pa-mcp/main/install.sh | sh

On macOS, unsigned binaries are blocked by Gatekeeper. If prompted, run:

xattr -dr com.apple.quarantine "$(which c2pa-mcp)"

Config

Add to your MCP client config (e.g. Claude Desktop ~/Library/Application Support/Claude/claude_desktop_config.json, or Cursor MCP settings):

{
  "mcpServers": {
    "content-credentials": {
      "command": "c2pa-mcp"
    }
  }
}

Restart the client after editing config.

Build from source

Requires Rust 1.88+. On macOS you may also need Xcode Command Line Tools (xcode-select --install).

cargo build --release

The binary is written to target/release/c2pa-mcp.

Test

cargo test

To run a single test by name:

cargo test <test_name>

Tools

Tool Description
read_credentials_file Read credentials from a local path (absolute, relative, or file://).
read_credentials_url Read credentials from a URL.

Response fields (camelCase JSON): success, hasCredentials, optional manifestData, optional error.

Trust

At startup the server fetches four trust lists concurrently:

  • C2PA trust list — official conformance list (Google, DigiCert, Adobe, SSL.com, …)
  • C2PA TSA trust list — time-stamping authority certificates
  • ITL anchors — Interim Trust List roots (Microsoft, Adobe, and others who pre-date the conformance list)
  • ITL allowed list — specific end-entity certificates from the interim period

Content signed before January 2026 (e.g. by Microsoft Designer) validates against the ITL. Newer content validates against the official C2PA list. If the network is unavailable at startup the server continues without trust anchors and logs a warning.

CLI

The binary also works as a one-shot CLI tool:

# Local file
./target/release/c2pa-mcp /path/to/image.jpg

# URL
./target/release/c2pa-mcp https://example.com/image.jpg

Prints pretty-printed JSON to stdout. Set RUST_LOG=c2pa_mcp=info for log output.

Publishing to MCP Registry

After a release, run the publish script to update server.json with the latest version and hashes, then publish to the registry:

mcp-publisher login github   # first time only
./publish.sh

Links

C2PA Rust SDK · C2PA Trust Lists · MCP · MCP Registry

License: MIT OR Apache-2.0

About

MCP server for reading C2PA Content Credentials from media using the CAI Rust SDK.

Resources

Readme

License

Apache-2.0, MIT licenses found

Licenses found

Apache-2.0
LICENSE-APACHE
MIT
LICENSE-MIT

Code of conduct

Code of conduct

Contributing

Contributing

Security policy

Security policy
Activity
Custom properties

Stars

2 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases 2

v0.2.2 Latest
Mar 26, 2026
+ 1 release

Packages

 
 
 

Contributors

Languages