C2PA in Ableton: Open-Source Max for Live Device

In May 2026 we shipped a Claude MCP for reading C2PA manifests in music files. This post is the follow-up: the same reader, now inside Ableton Live as an open-source Max for Live device.

This is the fourth article in our Max for Live series. It builds directly on the M4L → FastAPI pattern we wrote about in January 2026, with one change: the API runs on your laptop, not in the cloud.

The problem

Google Lyria signs every MP3 it generates with a C2PA manifest. The manifest records who made the file, what model produced it, whether it is AI-generated, what watermarks were applied (Lyria adds SynthID), and who signed the claim. The data is there. Producers cannot see it.

You drop a Lyria stem onto an audio track. Ableton shows you the waveform. It does not show you that the file is AI-generated, who signed it, or what the manifest says about the source. To find out, you have to leave the DAW, run c2patool on the file, and read raw JSON.

Andrew Melchior — Massive Attack's CTO, advising the UK DCMS on AI and the Copyright Act — framed the bigger gap in a reply on LinkedIn to our MCP announcement:

C2PA now tells you a machine generated this track. It doesn't tell you whose work trained the machine.

Training-corpus provenance is the hard problem. This article is about the easier half — making the output manifest visible at the point a producer is actually working.

The fix

A Max for Live device. Click a clip → see the manifest summary. That is the whole product.

Under the hood, the device borrows a pattern we already shipped: a Max for Live js object reads the Live Object Model, then routes the work to a Node for Max HTTP client. We wrote about this exact shape in January 2026. The only change here is where the HTTP server lives.

Architecture in one diagram

Loading diagram...

Three sentences:

A LiveAPI observer in the js object watches live_set view detail_clip. When the selection changes, it pulls the clip's file_path.
The path flows into a Node for Max script, which POSTs it to http://127.0.0.1:8765/summary.
The local FastAPI server is shipped in this same repo as the device — a small Python package (mtl_c2pa_server) that wraps the official c2pa-python Rust binding. One clone, one poetry install.

Selection-to-display, end to end

Loading diagram...

The manual "Refresh" button short-circuits the observer and triggers the same POST /summary call. Same pipeline, different trigger source.

Why local, not cloud, not CLI

We considered three options. Local won.

A CLI shell-out per click

Simplest, but Python startup costs ~300 ms. On every clip selection. You feel it.

We use c2pa-python, which wraps the Rust binding. The Python interpreter cold-start is the bottleneck, not the C2PA read itself.

Cloud Run

Right for generation, wrong for reading. You'd upload audio just to inspect a local file.

Cloud is what our reference M4L → API article uses — and for storing generation events with an audit log, it is the right answer. For reading a manifest already in your file system, it isn't.

Local FastAPI server

Keeps c2pa-python warm. Loopback only. Reuses the MCP parser without changes.

The HTTP layer is ~80 lines wrapping c2pa-python directly. Self-contained in this repo — one clone, one install, no separate dependency on the sibling MCP server.

A persistent local FastAPI server keeps c2pa-python warm in memory, runs on loopback only (no external attack surface), and reuses the existing MCP parser without changes.

What you see

For a Lyria-signed MP3, the device shows the same shape the MCP produces:

c2pa_summary output in Ableton

{
  "file": "/Users/you/Music/Sovereign_Ascent.mp3",
  "generator": {"name": "Google C2PA Core Generator Library"},
  "is_ai_generated": true,
  "actions": [
    {"action": "c2pa.created", "description": "Created by Google Generative AI."},
    {"action": "c2pa.edited", "description": "Applied imperceptible SynthID watermark."}
  ],
  "watermarks": [
    {"description": "Applied imperceptible SynthID watermark."}
  ],
  "signature_issuer": "Google LLC",
  "validation": "valid"
}

For an unsigned audio clip you get {"error": "No C2PA manifest found"}. For a MIDI clip, {"info": "MIDI clip — no C2PA manifest applicable"}. The Refresh button re-runs the lookup manually.

What this doesn't solve

This is read-side only. The device tells you the C2PA truth that is already in the file. It does not sign anything. It does not tell you what corpus trained the model. Andrew's point still stands.

The C2PA community is working on the harder problem. There is an active conversation in the C2PA group about capturing provenance during DAW work — signing the project at bounce time, attributing the samples and MIDI sources that went in. That is the generation side. We would like to help build it next.

Install and try it

You need Ableton Live with Max for Live (Live Suite, or Standard plus the M4L add-on), and macOS for the auto-start script.

setup.sh

# 1. Clone and install (one-time)
git clone https://github.com/musictechlab/mtl-c2pa-ableton.git
cd mtl-c2pa-ableton && poetry install

# 2. Auto-start on login (macOS)
bash install/install.sh

# 3. Verify
curl http://127.0.0.1:8765/health
# {"status":"ok"}

# 4. Drop the device on a track
# Drag device/MTL_C2PA_Ableton_PoC.amxd onto any audio track in Live.

That's it. Click a Lyria clip — see the manifest. Full setup detail in the repo README.

Roadmap

Generation-side device next. The plan is a Max for Live effect that signs the project at bounce time and emits a C2PA manifest describing the session's ingredients — samples, MIDI sources, plugin chain. We would like input from the C2PA community before settling on the assertion shape.

If you are interested in the broader open-source MCP family we have shipped:

mtl-metadata-mcp

Read and write ID3, FLAC, and Vorbis tags from Claude — siblings on the metadata layer.

ISRCs, artist, album, year — the rights-and-identifier layer that complements C2PA's provenance layer.

Verified Human Cert MCP

Complementary provenance: VHC says a human made this; C2PA says how it was made.

Together they answer the two questions about an AI-suspect track: was it made by a human, and what does the file declare about its origin?

mtl-bandcamp-mcp

Natural-language queries over Bandcamp revenue CSVs from Claude.

The same MCP-server pattern, different data source. Wraps the official Bandcamp Sales Report exports.

Inside .als and .asd files

Adjacent metadata extraction — going below the LiveAPI layer.

For when you need to read an Ableton project without opening Ableton — same Max for Live series, different angle.

Try it, break it, send feedback

The device is MIT-licensed. Repo: musictechlab/mtl-c2pa-ableton. Issues and PRs welcome. If you build something on top of the local HTTP server (a Logic plugin, a REAPER script, a standalone viewer), tell us — same pattern works for any DAW that can shell out to localhost.