c2pa-mcp

MCP server for reading Content Credentials (C2PA) from images and media using the official c2pa Rust SDK.

Validates against the official C2PA trust list and the Interim Trust List (ITL), fetched at startup so trust decisions are always current.

Prerequisites

Install Rust 1.88+ (includes cargo). On macOS you may also need Xcode Command Line Tools (xcode-select --install).

Build

cargo build --release

The binary is written to target/release/c2pa-mcp.

Test

cargo test

To run a single test by name:

cargo test <test_name>

Config

Add to your MCP client config (e.g. Claude Desktop: ~/Library/Application Support/Claude/claude_desktop_config.json, or Cursor MCP settings):

{
  "mcpServers": {
    "content-credentials": {
      "command": "/path/to/c2pa-mcp/target/release/c2pa-mcp"
    }
  }
}

Use the full path to the binary. Restart the client after editing config.

Tools

Response fields (camelCase JSON): success, hasCredentials, optional manifestData, optional error.

Trust

At startup the server fetches four trust lists concurrently:

• C2PA trust list — official conformance list (Google, DigiCert, Adobe, SSL.com, …)
• C2PA TSA trust list — time-stamping authority certificates
• ITL anchors — Interim Trust List roots (Microsoft, Adobe, and others who pre-date the conformance list)
• ITL allowed list — specific end-entity certificates from the interim period

Content signed before January 2026 (e.g. by Microsoft Designer) validates against the ITL. Newer content validates against the official C2PA list. If the network is unavailable at startup the server continues without trust anchors and logs a warning.

CLI

The binary also works as a one-shot CLI tool:

# Local file
./target/release/c2pa-mcp /path/to/image.jpg

# URL
./target/release/c2pa-mcp https://example.com/image.jpg

Prints pretty-printed JSON to stdout. Set RUST_LOG=c2pa_mcp=info for log output.

Links

C2PA Rust SDK · C2PA Trust Lists · MCP

License: MIT OR Apache-2.0