What a certificate of authenticity actually is (and isn't)
A modern certificate of authenticity (COA) is a structured record, usually exposed through a public verification page, that ties a specific document to:
How to Issue a Certificate of Authenticity for Any Document
2026 Template + Example
A certificate of authenticity used to be a piece of paper with a foil sticker, a wet signature, and a little ribbon at the corner. In 2026, it is something much more useful: a cryptographically-verifiable record that lets anyone — a bank, a landlord, a recruiter, a regulator — confirm a document's origin and integrity in a single scan.
If your business issues contracts, diplomas, certificates, invoices, insurance documents, employment letters, or anything your customer will hand to a third party, you should be issuing a certificate of authenticity with every one of them. The technology is inexpensive, the user experience is frictionless for recipients, and the business impact is enormous: you eliminate an entire category of customer support ("can you confirm this is real?"), and you remove the attack surface that AI-generated document forgery exploits.
This guide is the operational manual. The 10 required fields, the fill-in-the-blank template, the step-by-step issuance process, and examples across five common industries.
- A specific issuer (your business)
- A specific recipient
- A specific date and time
A specific cryptographic fingerprint of the document
It is not a decorative overlay. A pretty ribbon or foil seal on a PDF is marketing. A COA is evidence.
Three tests separate a real COA from a cosmetic one:
The independence test. Can someone with no prior relationship to you verify the document in under a minute? If they need to call you, email you, or log into a system, the COA is cosmetic.
The tamper test. If a single character in the document changes — a dollar amount, a name, a date — does the verification fail loudly? If the COA still reports "authentic" for an altered file, it's theater.
The revocation test. If the underlying event changes — an employee departs, a credential is revoked, a contract is superseded — can you invalidate the COA from a central registry? If not, the COA is a one-way promise with no off-ramp.
A real COA passes all three. The rest of this guide shows you exactly how to issue one.
The 10 required fields
A well-constructed COA contains ten specific pieces of data. Skip any of them and you're issuing something weaker than the 2026 standard.
1. Unique document identifier. A globally unique ID that cannot collide with any other document in your system or anywhere else. Typically a UUID or a hash-derived identifier. This is the primary key that ties the document to its verification record.
2. Issuer identity. Your business's name, verified organizational profile, and an issuer ID that a verifier can cross-reference. Critically: the COA should link to the issuer's verification domain (e.g., verifydoc.ai/issuer/your-business), not just name-drop the issuer.
3. Recipient identity. The person or organization the document was issued to. For some document types (public certifications, broadcast contracts), this may be generic ("Bearer"). For most HR and financial documents, it is a specific named individual, often with an identity verification step attached.
4. Document type. A machine-readable classification (offer letter, insurance certificate, diploma, contract, invoice, etc.) and a human-readable title. The type is what lets the verification page render the right fields in the right format.
5. Issue date and time. Stored in UTC, with a trusted timestamp — ideally from a recognized time-stamp authority (TSA), not just the issuer's local clock. This protects against backdating claims.
6. Cryptographic hash of the document. A SHA-256 hash of the final document, computed at issuance, stored in the verification record. This is the tamper-evidence mechanism — it's what lets a verifier confirm that the document they're holding is byte-for-byte identical to what you issued.
7. Signer audit trail. For documents that were electronically signed before issuance, include the complete audit trail: every signer's identity, IP, device, timestamps for each signing action, and any identity-verification evidence collected. This is the evidence that would be used in a legal dispute.
8. Legal framework cited. Explicitly name the legal frameworks the signature complies with — ESIGN and UETA for U.S. domestic, eIDAS simple/advanced/qualified tier for EU. This lets an auditor or regulator evaluate the document against the right standard without guessing.
9. Verification endpoint. The URL of the public verification page, plus — importantly — a short verification code the verifier can type in manually if QR scanning isn't available. Redundancy matters; a QR code alone is a single point of failure.
10. Revocation status. A current flag indicating whether the COA is active, revoked, expired, or superseded. Revocation is checked at verification time, so a COA can be invalidated the moment the underlying event changes (termination, credential revocation, contract superseded).
Missing any of these ten? Your COA is below the 2026 standard. Include all ten? You've built an issuer system that will stand up to any audit, regulatory review, or adversarial counterparty your customers encounter.
The COA template (copy-paste starting point)
Here is the minimal structure. Every modern verification platform should produce something equivalent to this automatically.
- CERTIFICATE OF AUTHENTICITY
- Document ID: [UUID or hash-derived identifier]
- Document Type: [e.g., Offer Letter | Diploma | Insurance Certificate]
- Document Title: [Human-readable title]
- Issuer: [Your business legal name]
- Issuer ID: [Verified organizational ID]
- Issuer Domain: [https://your-domain.ai/issuer/your-business]
- Recipient: [Recipient full name or organization]
- Recipient ID: [Internal ID, verified if applicable]
- Issued at: [ISO 8601 timestamp in UTC]
- Timestamp Authority: [Name of TSA]
- Document Hash: [SHA-256 hex digest of the final document]
- Hash Algorithm: SHA-256
Signer Audit Trail:
- Signer: [Name] <email>
- Envelope viewed: [timestamp] from [IP], [device]
- Signed: [timestamp] from [IP], [device]
- Identity verified: [method, e.g., email + SMS + gov ID]
- [Additional signers as applicable]
- Legal Framework: [e.g., ESIGN, UETA, eIDAS AdES/QES]
- Retention Policy: [Retention period, e.g., 7 years from issue]
- Verification URL: https://verifydoc.ai/verify/[document-id]
- Verification Code: [8-character alphanumeric code]
- Status: Active (as of query time)
Revocation Registry: https://verifydoc.ai/revocations/[issuer-id]
This is not the only valid format — but every COA you issue should contain the equivalent of these fields, machine-readable behind the scenes and human-readable on the verification page.
The issuance process, step by step
Here is the end-to-end workflow a modern COA follows. Every step should be automated by your verification platform; you shouldn't have to think about any of them individually.
1. Finalize the document. The document content is locked. No more edits after this point without generating a new COA.
2. Compute the hash. The platform computes a SHA-256 hash of the final document. This hash is the cryptographic fingerprint embedded in the COA.
3. Generate the document ID. A unique identifier is created, typically derived from the hash plus an issuer namespace to guarantee global uniqueness.
4. Write the verification record. The document ID, hash, issuer, recipient, date, audit trail, and metadata are written to the issuer-controlled registry. This record is what the verification page queries.
5. Timestamp the record. A trusted timestamp authority (TSA) signs the verification record, anchoring its issue time in a way that can't be backdated.
6. Generate the QR code. A QR code encoding the verification URL is created. On high-security documents, the QR code is placed on every page to prevent page-swap attacks; on lower-risk documents, it may appear once.
7. Embed everything into the document. The QR code, document ID, short verification code, and any required legal-framework language are embedded into the final PDF.
8. Attach the digital signature. A cryptographic digital signature from the issuer's certificate is applied to the PDF itself, binding the content to the issuer's identity.
9. Deliver to the recipient. The completed document is sent to the recipient, along with an email containing the verification URL and instructions for how third parties can verify.
10. Expose for verification. Any third party who receives the document can now scan, verify, and get a verdict in under ten seconds — without contacting you.
For businesses using a platform like VerifyDoc.ai, steps 2 through 10 happen automatically in the background. Your operational workflow is: upload the document, pick the recipient, click "Issue."
Five examples from real use cases
The specifics differ by industry. The 10-field structure doesn't.
Example 1: HR — Offer letter
An offer letter issued to a new hire carries enormous downstream weight. The hire will use it to verify employment when applying for a mortgage, a rental, a credit card, or a visa. Each of those third parties currently calls your HR team to confirm authenticity. A COA eliminates every one of those calls.
Specifics for an offer letter COA:
- Document type: Offer Letter
- Recipient: the hired employee, identity verified via the signing process
- Legal framework: ESIGN / UETA, with the signer audit trail showing the employee's acceptance
Retention: 7 years minimum; permanent in many HR systems
Revocation: revoke the COA on employment termination so the offer letter cannot be reused for verification
See our specific guide on tamper-proof offer letters for the HR-specific playbook.
Example 2: Real estate — Proof of insurance certificate
Contractors, landlords, and property managers constantly request proof of insurance. Fraudulent insurance certificates are one of the fastest-growing categories of document fraud in 2026 — a single fake COI can unlock a multi-million-dollar construction job or lease.
Specifics for a COI COA:
Document type: Insurance Certificate
Issuer: the insurance carrier, not the insured party (critical — verification should trace back to the underwriter)
- Recipient: the insured party
Additional required fields: policy number, coverage effective date, coverage expiration, limits
Revocation: any cancellation, lapse, or change in coverage should revoke the COA in real time
Example 3: Education — Diploma or credential
Diplomas and professional credentials are near the top of the fraud target list. AI-generated diplomas now pass casual visual inspection, and hiring managers are increasingly unable to distinguish them from real documents.
Specifics for a credential COA:
- Document type: Diploma or Professional Certificate
- Issuer: the granting institution
- Recipient: the graduate, with identity verification
- Additional required fields: degree type, major, graduation date, honors
- Verification page: should show the institution's accreditation status alongside the credential
- Revocation: uncommon but possible (academic misconduct, rescinded credentials)
Example 4: Contracts — Master Services Agreement
High-value B2B contracts need a COA that will stand up in litigation years after signing.
Specifics for a contract COA:
- Document type: Master Services Agreement or Statement of Work
- Signers: both parties, with full audit trails for each
- Legal framework: ESIGN/UETA for U.S.-only; eIDAS AdES or QES for EU involvement
Retention: at least 7 years after the contract's termination, often longer
Revocation: the COA isn't "revoked" per se, but the contract may be superseded — link the COA to any amended or superseding agreements
Example 5: Finance — Loan document or invoice
Financial documents demand the highest evidentiary bar. Many regulators now explicitly expect cryptographic tamper evidence for retained financial records.
Specifics for a financial-document COA:
Document type: Loan Agreement, Invoice, Statement, etc.
- Legal framework: ESIGN/UETA, plus any industry-specific regulations (SOX, Dodd-Frank, MiFID II)
Retention: typically 7–10 years, sometimes longer
Auditor access: the verification endpoint should support read-only access for auditors without requiring the issuer's cooperation
Common mistakes to avoid
Mistake 1: Issuing a "COA" that's just a decorative PDF. No hash, no registry, no verification endpoint. Looks official. Provides zero evidentiary value. Stop doing this.
Mistake 2: Storing the hash in the document itself only. The hash should live in a tamper-evident registry controlled by the issuer, not just inside the file. If the only copy of the hash is inside the document, a forger who modifies the document can also modify the stated hash.
Mistake 3: Using a QR code without a cryptographic backing. A QR code that links to a static "Verified" page without running an actual hash comparison is worse than no QR code — it creates false reassurance. The QR code must trigger a real cryptographic check each time.
Mistake 4: No revocation mechanism. COAs issued for HR, insurance, and credential documents must be revocable. A COA that says "Verified" for a terminated employee's offer letter is a liability, not an asset.
Mistake 5: Missing the short verification code. Relying exclusively on QR codes excludes situations where QR scanning isn't practical (faxed documents, printed archives, accessibility needs). Always include a short alphanumeric code that a verifier can type in manually.
Mistake 6: Hiding the verification endpoint. Some businesses are tempted to put verification behind a login. Don't. The entire point is that third parties — who may have no prior relationship to you — can verify independently. If verification requires an account, it isn't a COA, it's a walled garden.
Mistake 7: Not complying with the right legal framework. A U.S.-only COA is fine for U.S.-only documents. The moment an EU party is involved, you need to cite the correct eIDAS tier. A compliance officer will catch this; better to catch it yourself first.
What issuing COAs does for your business
Three things happen, in order.
First, inbound support load drops dramatically. Every "can you confirm this document is real?" call is a cost. Every one of those calls stops happening once the document is self-verifying.
Second, trust becomes a feature you can market. "Every document we issue is verifiable in one scan" is a promise most of your competitors cannot make. It's a differentiator in sales conversations, in onboarding, in retention.
Third, the whole category of document-based fraud against your customers shuts down. A forger can create a fake offer letter with your logo. What they can't do is create a fake offer letter that passes a hash check on your verification domain. The moment your customers know to scan the QR code, forged versions become worthless.
For the full picture of how certificates of authenticity fit into the modern document trust stack, see our pillar guide: How to Verify Document Authenticity in 2026.
- Frequently asked questions
How much does it cost to issue a certificate of authenticity?
Through a modern platform, typically cents per document. The value returned — eliminated verification calls, reduced fraud exposure, trust as a differentiator — is orders of magnitude larger.
Do I need blockchain to issue COAs?
No. A trusted registry controlled by the issuer is sufficient for nearly all use cases. Some providers anchor COA records to public blockchains as an additional tamper-evidence layer, but this is not required for the verification to work.
What happens if my verification platform goes down?
Choose a platform with high uptime and a public status page. For high-value documents, look for platforms that escrow verification records with a third party or anchor them to a public blockchain, so verification survives even if the issuer's primary system is down.
Can I revoke a COA after issuance?
Yes, and you should have a clear policy on when revocation happens — employee termination, credential revocation, contract supersession, fraud discovery. Revocation is instantly reflected on the verification endpoint.
Who issues the cryptographic certificates behind the COA?
For documents requiring eIDAS qualified signatures, a Qualified Trust Service Provider on the EU Trust List. For most other use cases, any reputable certificate authority (DigiCert, GlobalSign, Sectigo, Entrust, or your verification platform's built-in CA).
Can I issue COAs for documents I didn't originally create digitally?
Yes. You can upload a scanned or pre-existing document, run it through your COA issuance process, and generate a verification record for it. The hash will reflect the exact file you uploaded, so any modification afterward will fail verification.
How do I tell my customers to verify documents I issue?
Add a one-line footer to every issued document: "To verify this document's authenticity, scan the QR code or visit verifydoc.ai/verify and enter code [XXXXXXXX]." Consistent language across documents trains recipients to expect and use the verification.
Where to go from here
If your business issues any document that a third party will rely on — contracts, certificates, diplomas, offer letters, insurance certificates, financial statements — you should be issuing a certificate of authenticity with each one. The technology is mature, the user experience is frictionless, and the business return is large.
The operational path is simple: pick a platform that generates all ten COA fields automatically, attaches a QR code and short verification code, and exposes a public verification endpoint. Then make COA issuance the default for every document that matters.
VerifyDoc.ai is built specifically for this — sign or upload any document, attach a QR code, and issue a certificate of authenticity that any recipient can verify with a single scan, in under five minutes from signup to first issued document.
Ready to issue your first certificate of authenticity? Try VerifyDoc.ai free and give your customers a document they can trust — and prove.