For most of its existence, C2PA was a photography problem.
The Coalition for Content Provenance and Authenticity launched in 2021 as a response to deepfake concerns in journalism — Adobe, the BBC, the New York Times, and the major camera manufacturers all wanted a cryptographic way to prove an image hadn't been doctored. Photoshop wrote C2PA. Lightroom wrote C2PA. Sony, Leica, and Nikon started shipping cameras that signed images at capture. Every conversation about content credentials in 2023 and 2024 was about photographs.
Then, quietly, the standard expanded into audio. Most creators didn't notice. Most metadata-removal tutorials online haven't caught up. But by 2026, every major commercial AI audio tool — Suno, Udio, ElevenLabs, Riffusion — is writing C2PA manifests into the audio files you export. Spotify, Apple Music, and Tidal are reading them at upload.
This post is the missing explainer. What C2PA is doing inside your audio files, where it lives in the file structure, why you didn't know about it, and how to strip it cleanly without touching the audio.
C2PA Was a Photography Problem. Then It Became an Audio Problem.
The original C2PA spec defined how to embed signed manifests inside JPEG, PNG, and the major image formats. The mechanism was straightforward: image files have a metadata region (EXIF, XMP, ICC), and C2PA defined a JUMBF box — JPEG Universal Metadata Box Format — that fits inside that region. A JUMBF box can carry arbitrary structured data including the cryptographic signatures and assertions that make C2PA work.
In 2024, the C2PA technical committee extended the spec to cover ISO BMFF — the underlying file format used by MP4, MOV, M4A, and a handful of other container formats. ISO BMFF organizes a file as a tree of "boxes" (sometimes called "atoms"), each with a four-character type code. The standard already had a udta box (User Data) for arbitrary metadata. The C2PA extension defined how to put a JUMBF box inside udta to carry the same kind of signed manifest that already worked for JPEG.
That single decision is why C2PA is now in your audio files. M4A is ISO BMFF. MP4 video files are ISO BMFF. Once the spec covered the container format, every tool that exports those formats could write C2PA — and the AI audio tools, all under the same regulatory and platform pressure that pushed Adobe to ship C2PA in Photoshop, started doing it.
MP3 is a different story. MP3 isn't an ISO BMFF container; it's a frame-based format with an ID3 tag region. C2PA in MP3 is handled by writing a JUMBF box inside an APIC-adjacent ID3v2 frame, or in some implementations as a sidecar reference. Less clean than M4A, but it gets done.
How C2PA Gets into Audio Files (The ISO BMFF Explanation, Without the Pain)
The simple version: an audio file isn't a single blob. It's a structured tree.
Open an M4A in a hex editor and the first few bytes spell out ftyp — the file-type box. After that comes a series of nested boxes: moov (movie metadata), mdat (media data — the actual audio), udta (user data). Each box has a length, a type, and a payload.
The udta box can contain arbitrary children. Adobe's audio editor, Suno's exporter, ElevenLabs' API — they all write into udta. What they write into it has historically been a few standard atoms: encoder string, copyright notice, sometimes album artwork. C2PA-aware exporters now also write a JUMBF box inside udta. Inside that JUMBF box is the actual C2PA manifest: a JSON-ish structure containing assertions about the file's origin, signed by the AI tool's certificate.
When a platform reads the file, its ingestion pipeline walks the box tree, finds udta, finds the JUMBF box, parses out the manifest, validates the signature, and now knows — with cryptographic confidence — that this audio was generated by Suno on April 23, 2026, using model v4.0.
Stripping C2PA cleanly means removing the JUMBF box from the udta tree without corrupting the rest of the structure. Naive tools that just zero out parts of the metadata region tend to break the file. Doing it right requires walking the box tree the same way the platforms do, removing the right boxes, and rewriting the parent box lengths so the file still parses.
Which Audio Tools Embed C2PA Assertions Right Now
| Tool | Format | C2PA assertion content |
|---|---|---|
| Suno | MP3, M4A, WAV | Model name (e.g. chirp-v4), generation timestamp, signed by Suno |
| Udio | MP3, M4A | Model name, timestamp, sometimes the prompt, signed by Udio |
| ElevenLabs | M4A, MP3 | Voice clone ID, model version, timestamp, signed by ElevenLabs |
| Riffusion | MP3, WAV | Model name, generation parameters, signed by Riffusion |
| Adobe Audition AI | WAV, M4A | "Generative" assertion, source tool, generation type |
| Apple Logic Pro AI features | M4A | Apple-signed assertion, feature used, generation timestamp |
The list grows roughly every quarter. AI audio tools have economic and regulatory incentives to comply with C2PA — partnerships with platforms, alignment with EU AI Act requirements that come into force in 2026 and 2027, and pressure from rights organizations that view content provenance as a defense against AI-generated infringement.
This is also why "use a tool that doesn't write C2PA" isn't a sustainable answer. The tools that don't ship C2PA today are mostly self-hosted or open-source models with meaningfully lower output quality. The commercial-quality tools all write C2PA, and the gap closes from the open side, not the commercial side.
What Platforms Do with That Information
Spotify reads the C2PA assertion at upload, combines it with the DDEX feed your distributor sends, and uses both to apply or skip the AI-generated label. (Detailed mechanism on Spotify here.) Apple Music does the same. Tidal does the same. SoundCloud has a less aggressive labeling policy as of 2026 but still reads the metadata at ingest.
For video on TikTok, Instagram Reels, and YouTube Shorts, the same C2PA-in-udta mechanism applies because video files use the same ISO BMFF container. The AI-disclosure label that platforms apply to video uploads is read out of the same kind of JUMBF box that audio platforms read for music. (How TikTok specifically handles this.)
The throughline is: every platform with a content-provenance feature in 2026 is reading C2PA. Every platform with a planned content-provenance feature is reading C2PA. The standard won. Once it's in your file, every relevant platform sees it.
How to Strip C2PA from Audio Files in the Browser
The whole point of stripping C2PA from audio is to do it without uploading the file to a server — because uploading a file you're trying to keep private to a server you don't control is a contradiction. The clean workflow is in-browser, byte-level manipulation of the metadata containers.
- Open metadatacleaner.app in any browser.
- Drag your audio file (MP3, M4A, WAV, FLAC) into the drop zone.
- Click Clean. The tool walks the file's box tree, removes the JUMBF box from
udta, removes ID3 frames that name the AI tool, and rewrites the parent box lengths cleanly. - Click Download. You get back a file with byte-identical audio — every sample is unchanged — and an empty metadata wrapper.
For images, the strip is implemented as a canvas re-encode (the cleanest way to guarantee zero residual metadata). For audio and video — which are too large to re-encode in a browser without quality loss — it's in-place box-tree manipulation. The two approaches are different by necessity but both produce a file with no C2PA, no ID3 identifiers, and no other identifying metadata.
What Metadata Stripping Doesn't Touch
Honest list. Closing the metadata channel doesn't close every channel.
- Audio watermarks. Some AI audio tools embed a near-inaudible watermark in the audio itself — a frequency-domain pattern, often in the 18–20 kHz range. That's not metadata. It survives stripping. Removing it requires a re-encode through a DAW.
- The DDEX flag at your distributor. When your distributor uploads to Spotify, it sends a separate metadata feed. If you self-disclosed AI use at the distributor, that flag is independent of your file's metadata.
- Spectral classifiers. Spotify, Apple Music, and the major video platforms all run audio/video through ML classifiers trained to detect AI-generated content. Stripping the file removes the easy answer; it doesn't remove the question.
- Account-level signals. If you've previously uploaded labeled AI content from the same account, the platform has correlated that. New uploads inherit some of that history.
The metadata strip is one of multiple layers, and the highest-confidence one. Closing it is meaningful. It's not a magic eraser.
FAQ: C2PA in Audio
Is C2PA in audio actually new, or was it always there?
It's new in audio specifically. The C2PA spec covered images from launch (2021), and the ISO BMFF extension covering MP4/M4A came in 2024. Most major AI audio tools started shipping C2PA in their exports during 2024 and 2025. By 2026 it's universal across commercial tools.
Does Suno announce when they're embedding C2PA?
Not prominently. The C2PA assertion is mentioned in their terms of service and in some FAQ documentation, but it's not surfaced in the export UI. Most users find out it's there only when their reach drops and they investigate.
Will stripping C2PA invalidate my content provenance for legitimate uses?
Yes — that's literally what it does. C2PA was designed for cases where you want to prove provenance (journalism, authenticated artwork, evidentiary photography). Stripping is the right call when you don't want to disclose AI use; it's the wrong call when you're trying to prove your content is what you say it is. Two different workflows for two different goals.
Can I selectively edit a C2PA manifest to remove only the AI-tool reference?
No. The manifest is cryptographically signed. Selectively editing it invalidates the signature, which is detectable — and in some platforms, treated as a stronger negative signal than just having an AI-generated assertion. Strip the whole manifest cleanly or leave it intact. There's no in-between.
Does this mean I can use AI audio tools and not disclose?
Whether to disclose AI use is your decision under your distributor's terms of service, your jurisdiction's law, and your own ethics. Stripping the metadata gives you the technical option to choose. The technical option does not absolve you of the contractual or legal one. Read your distributor's TOS.
Is there a way to verify C2PA was actually removed?
Yes. Drop the cleaned file into metadata2go.com. The C2PA assertion section should be empty. ExifTool also detects C2PA in modern versions: exiftool -G1 -C2PA: yourfile.m4a will report empty if removal was clean.
The standard won. Every audio platform reads it. Strip it before upload, or upload with the assertion intact and accept the labeling. Drop your file into metadatacleaner.app — entirely in your browser.