# Qwen-TTS voice-cloning production guide: self-hosting the OSS version (Apache-2.0), and the governance design of consent, disclosure, and provenance > A guide to running, in production, voice cloning from 3 seconds of audio and voice design with the OSS version of Qwen3-TTS (Apache-2.0). With real code, it explains GPU self-hosting setup, a FastAPI inference server (type-safe, idempotent cache, GPU sharing), and most importantly the consent ledger, purpose limitation, AI-generation disclosure, provenance, and audit logs — a design that structurally suppresses impersonation/fraud risk. - Published: 2026-06-25 - Author: 友田 陽大 - Tags: Python, 音声合成, 生成AI, Qwen, セキュリティ, アーキテクチャ設計 - URL: https://tomodahinata.com/en/blog/qwen-tts-voice-cloning-self-hosting-consent-governance-guide - Category: Voice AI - Pillar guide: https://tomodahinata.com/en/blog/voice-ai-production-guide-stt-tts-voice-agents ## Key points - Voice cloning is a technology that enables 'replicating a voice without the person's consent,' so build consent, disclosure, and provenance into the design as a 'premise,' not a 'feature.' - The OSS version (QwenLM/Qwen3-TTS, Apache-2.0) has Base for 3-second cloning, VoiceDesign for natural-language voice design, and CustomVoice with 9 preset speakers. - The value of self-hosting is data sovereignty, unlimited use, fixed cost, and custom voices. Turn it into an inference server on a GPU (bf16/FlashAttention2). - The inference server is type-safe (Pydantic), with a content-hash idempotent cache and GPU reuse, ensuring cost and reproducibility. - With a consent ledger, make 'whose voice, by whom, for what purpose' mandatory; attach AI-generation disclosure and provenance to outputs, and leave all operations in audit logs. --- Voice cloning looks magical as a product but is **a minefield legally and ethically.** With 3 seconds of audio, you can have that person's voice read arbitrary text — this produces great value in dubbing, accessibility, and character production, while it directly connects to **impersonation, fraud, and defamation.** So productionizing this technology is the work of **designing not just "good code" but "good governance" at the same time.** This article is a guide to **safely operating voice cloning on your own GPU** with Qwen's **OSS version (QwenLM/Qwen3-TTS, Apache-2.0).** The basics (the model big picture, the API) are left to the [Qwen-TTS production-operations guide](/blog/qwen-tts-qwen3-tts-flash-production-guide); this article concentrates on the **self-hosting implementation** and the **governance of consent, disclosure, and provenance.** The knowledge of ensuring "voice consistency" with cloning in multilingual dubbing is based on the [AI video-localization platform](/case-studies/ai-video-localization-lipsync). > **Rules for this article**: model specs are based on **GitHub (QwenLM/Qwen3-TTS) as of June 2026.** The license is Apache-2.0, but **"the weights are free" and "you may replicate someone else's voice" are different matters.** The governance design here (consent, disclosure) is practical guidance premised on impersonation prevention and conformance with each country's synthetic-media regulations (disclosure obligations for AI-generated content, etc.). Confirm the final legal judgment with an expert. --- ## 0. There are two paths to cloning (settle this first) "Voice cloning with Qwen" has two paths of differing nature. | | Managed API (DashScope) | OSS version (self-hosted) | | --- | --- | --- | | Substance | `qwen3-tts-vc` (Voice Clone) / `qwen3-tts-vd` (Voice Design) | `Qwen3-TTS-12Hz-*` (Apache-2.0 weights) | | Where the reference audio is | Sent to Alibaba Cloud | **Doesn't leave your own GPU** | | Billing | Usage by character count | GPU fixed cost | | Suited requirements | Same-day, zero operations | **Data sovereignty, unlimited, custom** | For projects where reference audio (= the person's voice = potentially biometric personal information) **can't be sent outside** — medical, government, talent contracts, confidential — **OSS self-hosting is the only choice.** This article digs into the latter. --- ## 1. Why self-hosting There are four values to running the OSS version (Apache-2.0) yourself. - **Data sovereignty**: reference audio, generated audio, and scripts don't leave your boundary. - **Unlimited**: no character-count billing. The unit price matters in mass-producing dubbing/narration. - **Fixed cost**: it rides on GPU amortization. There's a break-even where, for always-on, it's cheaper than usage-based (→ [the TCO design of inference cost](/blog/llama-inference-cost-optimization-self-host-vs-api)). - **Custom**: you can build out voice cloning/design to fit your own voice actors/characters. Conversely, if you want small-volume, same-day, and no operations, API is the right answer (YAGNI). The correct order in many projects is **"first validate value with the API → self-host once the volume and data requirements solidify."** --- ## 2. Setup: the OSS-version models and GPU Public checkpoints (Hugging Face): | Model | Role | | --- | --- | | `Qwen3-TTS-12Hz-1.7B-Base` | Voice cloning from **3 seconds of reference audio** | | `Qwen3-TTS-12Hz-1.7B-CustomVoice` | 9 preset speakers (Vivian / Serena / Uncle_Fu / Dylan / Eric / Ryan / Aiden / Ono_Anna / Sohee) | | `Qwen3-TTS-12Hz-1.7B-VoiceDesign` | Design a voice in natural language | | `*-0.6B-Base` / `*-0.6B-CustomVoice` | Lightweight versions (memory-saving, for low-spec GPUs) | ```bash pip install -U qwen-tts # FlashAttention 2 併用を推奨 ``` ```python import torch from qwen_tts import Qwen3TTSModel # モデルは「一度ロードして使い回す」。リクエストごとのロードは厳禁(数秒〜のコスト) MODEL = Qwen3TTSModel.from_pretrained( "Qwen/Qwen3-TTS-12Hz-1.7B-Base", device_map="cuda:0", dtype=torch.bfloat16, # bf16/fp16 で省メモリ・高速 ) ``` The OSS version claims an end-to-end synthesis latency of **97ms** and supports 10 languages. Choose 1.7B / 0.6B for the GPU according to VRAM (KISS: 1.7B first, 0.6B if it doesn't fit). --- ## 3. Implementing voice cloning and voice design **Cloning** = from 3 seconds of reference audio + its transcript, have the same voice read arbitrary text: ```python wavs, sr = MODEL.generate_voice_clone( text="この声で、指定した原稿を読み上げます。", language="Japanese", ref_audio="ref.wav", # 本人同意済みの参照音声(3秒程度) ref_text="参照音声の書き起こし", # 参照音声に対応するテキスト ) ``` **Design** = "order" the voice itself in natural language (no reference audio needed, so the impersonation risk is structurally lower): ```python wavs, sr = MODEL.generate_voice_design( text="ようこそ、いらっしゃいませ。", language="Japanese", instruct="落ち着いた中低音の男性。ホテルのコンシェルジュのように丁寧で温かい。", ) ``` > **Design decision**: if you don't need to imitate a real person, **choose Design (or a CustomVoice ready-made speaker) rather than cloning.** Unless "the person's voice" is a requirement, not using a technology that enables impersonation is the safest design (minimizing the attack surface). --- ## 4. Turning it into an inference server: type-safe, idempotent, GPU-shared (FastAPI) To put cloning into business use, make it a resident server that reuses the GPU. The key points are a **type-safe boundary, a content-hash idempotent cache, and a consent gate.** ```python """Qwen3-TTS OSS のボイスデザイン推論サーバー(最小・本番志向)。 - 入力は Pydantic で境界検証(不正入力をモデルに渡さない) - 同じ入力は再生成しない(内容ハッシュでキャッシュ=冪等・コスト削減) - 同意の無いクローンは構造的に弾く(第5章の consent ゲート)""" import hashlib from pathlib import Path import soundfile as sf from fastapi import FastAPI, HTTPException from pydantic import BaseModel, Field app = FastAPI() CACHE = Path("/var/tts-cache"); CACHE.mkdir(exist_ok=True) class DesignRequest(BaseModel): text: str = Field(min_length=1, max_length=2000) language: str = Field(pattern=r"^(Japanese|English|Chinese|Korean)$") instruct: str = Field(min_length=1, max_length=400) def cache_key(*parts: str) -> str: h = hashlib.sha256() for p in parts: h.update(p.encode("utf-8")); h.update(b"\x00") return h.hexdigest() @app.post("/v1/voice-design") def voice_design(req: DesignRequest) -> dict: key = cache_key("vd", req.language, req.instruct, req.text) out = CACHE / f"{key}.wav" if out.exists(): return {"path": str(out), "cached": True} # 再生成しない(冪等) wavs, sr = MODEL.generate_voice_design( text=req.text, language=req.language, instruct=req.instruct, ) sf.write(out, wavs, sr) return {"path": str(out), "cached": False} ``` Serialize the GPU in a single process, or control the worker count to match VRAM (**separate loading and inference** = SRP). The thinking of batch optimization and quantization can be applied from the design of the [vLLM self-hosted inference server](/blog/vllm-llama-self-hosting-production-inference-server). --- ## 5. Governance (the core of this article): consent, disclosure, provenance This is the **watershed of trust.** Even with the same technology, the presence or absence of governance separates "an asset" from "an accident." **The cloning path must always pass through four gates.** ### 5.1 Consent Ledger Make "whose voice, by whom, for what purpose, until when" you may clone **mandatory as data**, and make voices not in the ledger structurally impossible to synthesize. ```python class CloneRequest(BaseModel): text: str = Field(min_length=1, max_length=2000) language: str = Field(pattern=r"^(Japanese|English|Chinese|Korean)$") voice_id: str # 事前登録された「声」の識別子 consent_token: str # 同意の証跡(後述) @app.post("/v1/voice-clone") def voice_clone(req: CloneRequest) -> dict: consent = lookup_consent(req.voice_id, req.consent_token) if consent is None or consent.revoked or consent.is_expired(): # 同意が無い/失効/期限切れ → 生成しない(fail closed) raise HTTPException(status_code=403, detail="consent_required") if req.text_purpose() not in consent.allowed_purposes: raise HTTPException(status_code=403, detail="purpose_not_permitted") ref = load_consented_reference(req.voice_id) # 同意済みの参照音声のみ wavs, sr = MODEL.generate_voice_clone( text=req.text, language=req.language, ref_audio=ref.audio_path, ref_text=ref.transcript, ) audit_log("voice_clone", voice_id=req.voice_id, actor=current_actor(), chars=len(req.text), consent_id=consent.id) # 全件監査(第6章) return {"audio": embed_provenance(wavs, sr, consent)} # 来歴を埋める(5.3) ``` The iron rule of the design is **fail closed**: when consent can't be confirmed, **don't generate** (default deny). Not leaving a state where "it can be carelessly generated" is the first and foremost in impersonation prevention. ### 5.2 Purpose limitation and revocation Consent **limits the purpose** (e.g., "internal training narration only") and can be **revoked at any time.** When the voice provider (voice actor, employee) withdraws consent, just flip `revoked=true` and subsequent generation stops — this **revocability** is the premise of trust. ### 5.3 Disclosure & Provenance Attach **① disclosure that it's AI-generated** and **② provenance (whose voice, which consent, when generated)** to outputs. Synthetic-media disclosure obligations are spreading in each country, and **"making it discernible as AI-generated"** is both a regulatory requirement and an ethical demand. - **Audible/visible disclosure**: clearly state "AI voice" in the UI ([a11y-compliant display](/blog/react-nextjs-web-accessibility-wcag22-guide)). - **Metadata provenance**: embed consent_id, voice_id, generation time, and model version into the generated file, making tampering detectable (the thinking of provenance standards like C2PA). - **Watermarking**: where possible, insert a watermark that doesn't harm audible quality, so it can later be machine-judged as "synthetic audio." ### 5.4 Access control Surround the cloning feature with **least privilege.** Don't make it an endpoint anyone can hit. Separate by role (voice administrator / user), and premise access to reference audio on auditing. --- ## 6. Security and auditing: treat reference audio as top secret - **Reference audio = biometric personal information**: a voiceprint can identify a person. Encrypt storage (AES-256-GCM, etc.), least-privilege access + audit logs. **Don't emit `.env`, keys, or audio to logs.** - **All operations in audit logs**: who, when, whose voice, with which consent, how many characters synthesized. Being traceable on an incident is a precondition for enterprise projects ([observability design](/blog/opentelemetry-observability-production-tracing-metrics-logs)). - **Input validation**: validate text length, language, and voice_id at the boundary (Pydantic). Don't pass user-derived values through. - **Decommission**: decide upfront a flow (retention period, deletion trail) to **reliably delete** reference audio and derivatives at contract end / consent withdrawal. --- ## 7. Cost and operations: how to justify the fixed cost Self-hosting is a **GPU fixed cost.** It's justified when one of the following is a requirement. - **Volume**: you continuously synthesize at a scale that gets expensive under usage-based billing (the break-even thinking is in [inference cost TCO](/blog/llama-inference-cost-optimization-self-host-vs-api)). - **Data sovereignty**: you can't let reference audio/scripts leave. - **Custom**: a unique voice is a business differentiator. If none apply, the API (`qwen3-tts-vc`) is cheaper and faster. **Decide technology selection by "does it fit the requirements," not "can it be done"** (KISS). --- ## 8. Conclusion: a voice-cloning productionization checklist - **Path selection**: can't let data out / unlimited / custom → OSS self-hosting. Small volume / same-day → API. - **Minimize impersonation**: if you don't need to imitate a real person, choose VoiceDesign / CustomVoice. - **Implementation**: GPU reuse, a type-safe boundary, a content-hash idempotent cache. - **Consent ledger**: whose voice, by whom, for what purpose — don't generate if not in the ledger (fail closed). - **Purpose limitation + revocation**: narrow the purpose, make it withdrawable. - **Disclosure and provenance**: explicit AI-generation + metadata like consent_id + (where possible) a watermark. - **Security**: treat reference audio as top secret, all operations in audit logs, a decommission flow. The productionization of voice cloning is decided by **whether you can design governance with the same passion as the technology.** I've handled designs that ensure "voice consistency" with cloning in multilingual dubbing while weaving consent and provenance into operations ([the AI video-localization platform](/case-studies/ai-video-localization-lipsync)). **"Use your own voice safely, legally, and at production quality" — I accompany you end-to-end from that design through implementation and governance.** First consult me about organizing the requirements and legal constraints. --- ### References (official documentation) - [QwenLM/Qwen3-TTS (GitHub, Apache-2.0)](https://github.com/QwenLM/Qwen3-TTS) — the OSS-version weights, `generate_voice_clone` / `generate_voice_design`, benchmarks - [Qwen-TTS speech synthesis (Alibaba Cloud Model Studio)](https://www.alibabacloud.com/help/en/model-studio/qwen-tts) — the API spec of `qwen3-tts-vc` / `qwen3-tts-vd` - [Hugging Face: Qwen3-TTS collection](https://huggingface.co/Qwen) — Base / CustomVoice / VoiceDesign checkpoints