Verifiable Right-to-Work Documents

The shape of the problem in the US: I-9 and E-Verify

The Form I-9 (Employment Eligibility Verification) is the foundational right-to-work document for every employer in the US. The form has existed in essentially its current shape since the Immigration Reform and Control Act of 1986. The verification model — employer reviews specific identity and work authorisation documents, attests to having done so, retains the form for a defined period — has held throughout, even as the form has been updated periodically (most recently the August 2023 revision, which permanently authorised remote document examination under specific conditions for E-Verify participating employers).

For most of the form's history, I-9 verification happened in-person. The employee handed over the documents, the HR manager inspected them, the form was signed on paper, and the paper file went into a binder. The artefact produced was a paper I-9, with photocopies of the supporting documents stapled to it, signed by both the employee and the employer's authorised representative.

What changed in 2020 onwards is two-fold. First, remote hiring became the default for a substantial share of the US workforce, which meant the in-person inspection step had to be conducted at distance — typically by video, with the documents shown over webcam and photographs of the documents transmitted electronically. Second, the August 2023 final rule from DHS made the remote examination procedure (originally a COVID-era flexibility) a permanent compliance option for E-Verify employers in good standing, with specific procedural requirements about how the remote inspection is conducted and recorded.

The remote verification process generates electronic artefacts: photographs or scans of the supporting documents, screen recordings or screenshots of the video verification session, electronic signatures on the I-9 form by both the employee and the authorised representative, timestamps of when each step occurred, and (for E-Verify participants) the E-Verify case confirmation showing the work authorisation status returned by SSA and DHS within the prescribed window.

None of these electronic artefacts, in most current HRIS implementations, are cryptographically tied to each other or to the verifying employer's identity. The I-9 PDF exists in the HRIS. The supporting document scans exist in cloud storage. The E-Verify confirmation exists as a screenshot or a number in the HRIS audit log. The audit trail exists as a database log entry. Each piece, individually, is what it claims to be — but the chain connecting them, and the cryptographic proof that the chain is what it appears to be, is generally absent. An ICE audit three years later examines the chain by inspection: do the dates line up, do the documents match the form, is the manager's signature on the form attributable to a real person who was authorised to sign at the time? These are inspection questions, not cryptographic questions.

For most employers, most of the time, inspection is good enough — the audit finds the records substantially compliant and moves on. But for a meaningful minority of cases each year, the inspection raises questions that the employer has to answer with supporting evidence that's older, less complete, and less authoritative than it would have been at the moment of verification. That's the gap verifiable issuance closes.

The shape of the problem in the UK: share codes and sponsor licences

The UK right-to-work regime is structurally different from the US regime but produces a similar documentation problem.

For most UK workers — British citizens, Irish citizens, settled and pre-settled EU nationals, and individuals with indefinite leave to remain — right-to-work verification involves an employer checking either physical documents (passport, residence permit) or a digital share code generated by the worker through the gov.uk View and Prove Your Immigration Status service. The share code, when entered into the Home Office Employer Checking Service, returns a verification page showing the worker's identity and immigration status as of that moment. The employer prints or screenshots the verification page and retains it for the duration of employment plus two years.

The share-code verification page is, by design, a snapshot. It's valid on the day it's checked. The page expires after thirty days, and the historical state — what the page showed when the employer checked it — is not preserved in any form that can be re-retrieved later. The employer's retained evidence is whatever they captured at the moment of the check: a PDF print, a PNG screenshot, a screen recording. If, three years later, the Home Office wants to confirm what the employer saw at the moment of verification, the employer's evidence is whatever artefact they retained — and that artefact's authenticity is whatever the employer can demonstrate.

For sponsored workers under the UK skilled-worker route (and its predecessors going back to Tier 2), the documentation problem is heavier still. Sponsored workers are issued a Certificate of Sponsorship (CoS) by the employer, drawn against the employer's sponsor licence. The CoS is a Home Office-issued reference number tied to a record in the Sponsorship Management System; the actual document — typically generated as a PDF by the SMS or by the employer's downstream systems — describes the sponsored role, the worker, the sponsorship commitment, and the licence under which it's issued. The CoS is the foundation of the worker's visa application and the employer's ongoing sponsor compliance.

Sponsor licence audits — conducted by Home Office compliance officers on a rolling basis, often as a precondition for licence renewal or as a follow-up to specific compliance concerns — examine the employer's records for every sponsored worker over the licence period. The records include: the CoS as issued, the worker's right-to-work check at hiring, any subsequent re-verifications, the employer's records of role changes, salary changes, and termination events affecting sponsorship. A compliance officer assessing these records, sometimes years after the original events, faces the same inspection-by-degraded-evidence problem as the US auditor.

The two right-to-work regimes — US and UK — generate different document sets but produce structurally similar audit problems. In both cases, the employer is required to demonstrate, at an arbitrary future date, that a prescribed verification event happened with prescribed accuracy. In both cases, the artefacts produced today are not built to make that future demonstration cryptographically trivial. In both cases, the inspection-based demonstration works most of the time but degrades at the edges in ways that create real audit and compliance risk.

This is the gap verifiable issuance closes from the issuer's side.

What verifiable right-to-work issuance changes

The same architectural pattern that applies to other verifiable issuance use cases applies to right-to-work documents. The four components — a cryptographic signature, a QR code linking to a hosted proof page, a revocation channel, and long-term verifiability — work the same way for I-9s, share-code verifications, and certificates of sponsorship as they do for pay stubs, transcripts, and certificates of insurance. The category-level architecture is covered in Verifiable Document Issuance: The 2026 Category Guide; the application to right-to-work documents adds specific considerations around the prescribed format of each document type and the regulatory retention requirements that apply.

For Form I-9 specifically, verifiable issuance produces a signed PDF of the completed I-9 with a QR code in a non-conflicting location (typically the upper-right or lower-right corner outside the form's prescribed field area). The signed PDF is cryptographically bound to the signing employer's verifiable identity, the timestamp is anchored to a trusted timestamping authority, and the supporting documents (the List A, B, and C documents the employee provided) can be packaged into the same signed bundle or referenced by hash from the I-9 itself. The result is an I-9 record where the form, the supporting documents, the verification timestamps, and the signing employer's identity are cryptographically linked and independently verifiable by any third party with a phone — including, three years later, by an ICE auditor who scans the QR code on the printed form and sees the proof page confirm authenticity in two seconds.

For E-Verify cases, the verifiable artefact is the case confirmation document — the record showing the employee's work authorisation status as returned by SSA and DHS. The verifiable issuance layer captures the case result at the moment it's returned, signs the capture against the employer's identity, and produces a proof page that, years later, demonstrates the E-Verify result as of the verification date. The underlying E-Verify case is still authoritative on the DHS side; the verifiable issuance produces the employer's verifiable record of what was returned at the moment of verification.

For UK share-code verifications, verifiable issuance solves the snapshot problem directly. At the moment the employer performs the check through the Home Office Employer Checking Service, the verifiable issuance layer captures the returned page state (the worker's name, photograph, immigration status, and the page's prescribed contents) and produces a signed verification record. The signed record is cryptographically bound to the employer's identity and timestamped against a trusted timestamping authority. The QR code on the printed verification record resolves to a proof page that, years later, confirms the state of the share-code verification as the employer captured it on the day of the check — preserving the historical state that the Home Office's own service no longer retains.

For UK certificates of sponsorship, verifiable issuance produces a signed CoS document with the verifiable issuance layer applied at the moment the CoS is generated from the SMS. The signed CoS is cryptographically bound to the sponsor's licence identity (which most sponsoring employers will want to bind to a verifiable sponsor identity established in the issuance platform), and the QR code provides an independent verification path that any subsequent reviewer — visa officer, compliance auditor, foreign embassy — can use to confirm the CoS is authentic and current.

In every one of these cases, the structural change is the same: the artefact carries its own proof, and the future demonstration of compliance becomes a phone scan rather than a supporting-evidence reconstruction.

The audit-readiness shift

The most important practical consequence of verifiable right-to-work issuance is what it does to audit response time.

Under the current pattern, an ICE audit, a Home Office compliance visit, or a sponsor licence renewal review generates an evidence-assembly project for the employer. The HRIS records are exported, the supporting documents are gathered from wherever they live, the chain connecting each artefact to the others is reconstructed from system logs and email trails, the supporting attestations from managers (current and former) are collected, and the package is assembled into something the auditor can inspect coherently. For a mid-sized employer with two to five thousand active employees and a normal level of hiring activity, the assembly project typically takes a small team several days for an audit covering a multi-year window. For a larger employer or a more comprehensive audit, the project can stretch into weeks.

Under verifiable issuance, the same audit response is structurally different. The records exist as signed, QR-stamped artefacts in the HRIS. The auditor can scan any individual record's QR code and verify authenticity in two seconds. The chain connecting each artefact to the others is preserved by the cryptographic bindings — the I-9 references the supporting documents by hash, the E-Verify confirmation references the I-9 by hash, the timestamps are independently verifiable against the timestamping authority. The employer's audit response is no longer "assemble the evidence that proves what we did"; it's "show the auditor where the records live, and let them verify each one in seconds."

This is a meaningful shift in the regulatory posture of the employer. Compliance demonstration is no longer a project that consumes operational capacity for days or weeks every time it's triggered; it's a property of the records themselves, demonstrable on demand without preparation.

For employers with frequent audit exposure — federal contractors subject to ICE I-9 audits, sponsor-licensed employers in the UK with high sponsored-worker headcount, employers in regulated industries with specific right-to-work documentation obligations (financial services under FCA rules, healthcare under sector-specific employment regulations, defence contractors under federal security requirements) — the shift from project-based audit response to property-based audit response is the operational case for verifiable issuance.

For employers without frequent audit exposure, the case is the residual-risk reduction: the next audit, whenever it comes, is structurally less risky because the records carry their own proof. The same logic that justifies fire suppression systems in low-fire-risk buildings applies — the worst-case cost of an audit gone badly is substantial enough that the modest cost of verifiable issuance is justified by risk reduction alone.

Implementation pattern for HRIS-driven employers

The natural integration point for verifiable right-to-work issuance is the HRIS — Workday, BambooHR, Rippling, Gusto, Paychex, HiBob, Personio, Hibob, or any of the smaller specialised platforms — because that's where right-to-work documents are generated and stored today.

The integration sits at the document-generation step for each right-to-work document type:

For I-9 generation, the HRIS or specialised onboarding platform generates the completed I-9 PDF at the moment both the employee and the authorised representative have completed their respective sections. The verifiable issuance layer hooks in after the PDF is rendered but before it's stored as the final record: the PDF is signed against the employer's verifiable identity, a QR code is overlaid in a non-conflicting location, and the signed PDF is what gets stored as the I-9 of record. The employee's experience and the authorised representative's experience don't change; the resulting artefact is now verifiable.

For E-Verify case capture, the integration sits at the moment E-Verify returns its case result. The verifiable issuance layer captures the case confirmation page (or the structured case data, depending on the integration depth) and produces a signed capture record. The signed record can be appended to the I-9 bundle or stored as a separate linked artefact, depending on the employer's record-keeping convention.

For UK share-code verifications, the integration sits at the moment the employer's HR team completes the Home Office Employer Checking Service check. The verifiable issuance layer captures the page state and produces a signed verification record. For employers running modern onboarding platforms, this is automated through a browser plugin or a recorded session that captures the state at the moment of verification; for employers running manual processes, the verification record can be produced by uploading a screen capture into the issuance platform within the same session.

For Certificate of Sponsorship issuance, the integration sits at the SMS-to-PDF generation step. Most sponsoring employers export CoS records from the SMS into their own document systems for retention and communication to sponsored workers; the verifiable issuance layer applies at the export step, producing a signed CoS PDF bound to the sponsor's verifiable licence identity.

For employers running modern HRIS platforms with API access (Workday, Rippling, HiBob, BambooHR, Gusto, and most current-generation platforms), the integration is a webhook or API call at the appropriate document-generation step. The HRIS team adds the integration once, the verifiability properties apply to every document the platform produces from that point forward, and the CSR or HR generalist workflow is unchanged. For employers running older HRIS platforms without API access, the integration uses alternative patterns: a watch folder where generated documents are signed and re-stored, an email forwarding rule that processes outbound documents, or a browser-based capture layer for manual workflows.

The deeper integration pattern, covering authentication, signing identity management, webhook handling, and SDK coverage, is described in The VerifyDoc.ai API: Embedding Verifiable Issuance Into Your Product.

The remote-first compounding factor

Remote-first employers face the documentation problem at a higher amplitude than in-office employers, and verifiable issuance addresses the amplification specifically.

The reason is structural. In an in-office hiring model, the right-to-work verification is performed by an HR person who physically inspects documents handed across a desk. The verification artefact is straightforward: a paper I-9 with photocopies of the originals, signed in person. The chain connecting the verification event to the supporting evidence is short and obvious — same room, same minute, same handwriting.

In a remote-first hiring model, the verification is performed at distance, often by a manager or a third-party identity provider, with the supporting documents transmitted electronically. The verification artefact is electronic: a digital I-9 with image files of the documents, signed by both parties at different times from different locations. The chain connecting the verification event to the supporting evidence is longer and less obvious — different rooms, different timestamps, often different software systems for each step. The chain's authenticity rests on the integrity of the connecting systems and the audit trail across them.

For remote-first employers, the audit response problem amplifies the chain integrity problem. The auditor inspecting a remote-hired employee's I-9 record three years later faces more pieces of evidence, more system boundaries between them, more opportunities for any one piece to have degraded over time, and a higher fraction of the supporting infrastructure (the video session recording, the document upload portal, the verification page screen captures) that has long since been migrated or deprecated.

Verifiable issuance collapses the chain integrity problem to a cryptographic problem. The pieces are bound to each other by hash; the bindings are verifiable independently of the systems that produced them; the timestamps are anchored to a timestamping authority that exists independently of the employer's infrastructure. A remote-first employer who issues right-to-work documents verifiably has the same audit-readiness posture as an in-office employer with paper files in a binder — and a substantially stronger posture than a remote-first employer whose evidence depends on the continued operation of the software systems that produced it.

This is the strategic case for remote-first employers specifically. The verification model is structurally less robust to time than the in-office model; verifiable issuance is the architectural fix that makes the remote model audit-equivalent (or better) to the paper-and-binder model. For employers building globally distributed teams in 2026, this is not a marginal consideration. It's a structural compliance requirement that the employer either solves with verifiable issuance or carries as residual risk against future audit exposure.

The regulatory environment

Several specific regulatory developments in 2026 make verifiable right-to-work issuance more relevant than it would have been even two years ago.

The DHS final rule on alternative procedures (88 FR 47990, August 2023) made remote document examination permanent for E-Verify employers in good standing, with specific procedural requirements about how the remote inspection is conducted and recorded. The rule's record-keeping requirements explicitly require employers to retain "a clear and legible copy" of the documents examined and to "retain a record of the document examination procedure used." Verifiable issuance satisfies these requirements more cleanly than ordinary PDF storage because the signed artefact embeds the procedure record (the timestamps, the signing identities, the document hashes) within the cryptographic binding.

The Home Office's digital right-to-work check guidance, updated periodically since 2022 and continuing into 2026, prescribes the procedure for share-code verifications and the records employers must retain. The guidance permits "clear copies" of the verification page to be retained electronically; it does not (currently) require cryptographic provenance on the retained record, but it doesn't preclude it either. Employers retaining cryptographically-signed verification records exceed the current minimum standard and position themselves favourably for likely future strengthening of the requirements.

Sponsor licence guidance published by the Home Office (the current version is the "Workers and Temporary Workers: guidance for sponsors" document set, updated regularly) prescribes the records sponsor-licensed employers must retain for each sponsored worker, the retention periods, and the form of evidence required. The guidance is specific about retention but permissive about format: cryptographically-signed records satisfy the requirement and position the employer ahead of the curve for compliance visit scrutiny.

eIDAS 2.0 (Regulation EU 2024/1183), which we've covered in depth at eIDAS 2.0 and the EUDI Wallet: What Changed in 2024-2026, creates the EU framework for verifiable credentials presented via the European Digital Identity Wallet. For employers operating in the EU or hiring EU-resident workers, right-to-work credentials issued through the EUDI Wallet framework will be the default for cross-border verification by the end of the decade. Employers issuing right-to-work documents in verifiable form today are positioned cleanly for the EUDI Wallet transition; employers issuing in ordinary PDF form will face a re-platforming project as the wallet ecosystem matures.

GDPR Article 5(1)(f) requires personal data to be processed with appropriate security including protection against unauthorised or unlawful processing. Right-to-work documents contain extensive personal data — names, dates of birth, passport numbers, immigration status. Cryptographic signing at issuance is a structurally stronger answer to the GDPR integrity requirement than ordinary PDF storage with audit trails.

Sector-specific employment regulations — FCA rules on senior managers and certification regime documentation, healthcare regulator rules on workforce credentialing, defence contractor rules on personnel security clearance documentation — all touch the right-to-work documentation chain at different points. Each of these regimes is moving, at its own pace, toward stronger evidence requirements on employer records. Verifiable issuance is the architectural pattern that satisfies the strongest current requirements and the likely near-future ones.

The shorter version: nothing currently requires verifiable right-to-work issuance, but the regulatory pressure is consistent and one-directional. Employers adopting today are positioned correctly for the trajectory; employers waiting will face higher transition costs when explicit requirements arrive.

Does verifiable I-9 issuance change the form?

No. The Form I-9 itself — the prescribed federal form, currently the August 2023 revision — renders exactly as it always has. The cryptographic signing happens against the rendered PDF, and the QR code is placed in a location that doesn't conflict with the form's prescribed field areas. ICE auditors, E-Verify staff, and the employer's own HR team see the same I-9 they're used to, with an additional QR code in the corner that any of them can scan for instant authenticity verification.

Does this replace E-Verify?

No. E-Verify remains the authoritative system for confirming work authorisation against SSA and DHS records. Verifiable issuance produces a verifiable capture of the E-Verify case result at the moment it's returned, so the employer has a cryptographically-signed record of what E-Verify confirmed on the verification date. The E-Verify case itself is still authoritative; the verifiable issuance produces the employer's verifiable record.

Will ICE auditors actually scan the QR code?

The QR code provides instant verification, but it's not the only way ICE can audit the records. An auditor who chooses not to scan can still inspect the records the way they always have. The QR code is a faster path to authenticity confirmation for auditors who want it, and a much stronger audit-readiness posture for the employer because the record's authenticity is provable on demand regardless of whether any individual auditor chooses to verify it. As verifiable issuance becomes more common across employers, auditor familiarity with QR-based verification will increase; in the meantime, the verifiable record is at minimum as strong as the unverifiable record and substantially stronger in the cases where the auditor does verify.

What about share-code verifications that have already expired?

Verifiable issuance only applies prospectively — share-code verifications already performed and retained as ordinary screenshots remain whatever they were. For share-code verifications performed from the integration date forward, the captured page state is preserved verifiably, eliminating the expired-page problem. Some employers choose to re-verify selected sponsored or higher-risk workers proactively to bring their records under verifiable issuance; most apply verifiable issuance forward and let the back-book remain in the legacy format.

How does this handle the supporting documents?

The supporting documents — the passport scan, the driver's licence image, the Social Security card, the residence permit — can be either embedded in the same signed bundle as the I-9 (cryptographically bound together) or referenced by hash from the I-9 itself with the originals stored separately. Both patterns are common; the choice depends on the employer's broader document retention architecture. Either pattern provides cryptographic linkage between the I-9 and the supporting evidence.

Does the employee see anything different?

The employee's experience is unchanged. They complete the employee section of the I-9 in the HRIS the way they always have. The cryptographic signing happens server-side after both parties have completed their sections. The employee's stored copy of the I-9 (if the employer provides one) is the signed, verifiable version, but the form they completed and the process they went through look identical.

Can we revoke a right-to-work document?

The cryptographic signature is permanent — once signed, the record of what was verified at that moment exists permanently. The proof page status can be updated, however, to reflect subsequent changes: an employee whose work authorisation has lapsed will have a proof page showing the original verification (authentic, on the original date) and the current status (expired, with the date of expiration). This matches the regulatory model, which doesn't require employers to delete records when status changes but does require accurate current information.

Is VerifyDoc.ai the right platform for this?

VerifyDoc.ai is an issuer-side verifiable document platform. Right-to-work documents — I-9s, E-Verify confirmations, share-code verifications, certificates of sponsorship — fit cleanly within the platform's issuance architecture, and several of the existing integration patterns we cover for HR documents (offer letters, employment verification letters, pay stubs) apply directly. For the broader category context, see Verifiable Document Issuance: The 2026 Category Guide. For the distinction with verifydoc.com (which operates in the recipient-side fraud detection category, not the issuance category), see VerifyDoc.ai vs verifydoc.com: What's the Difference?.

What about for non-US, non-UK jurisdictions?

The same architectural pattern applies to right-to-work documentation in other jurisdictions — Australian work rights checks via VEVO, Canadian work permit verifications, EU national systems prior to EUDI Wallet adoption, and country-specific employer verification frameworks across most developed economies. The verifiable issuance pattern is jurisdiction-agnostic; the specific document formats and regulatory requirements vary by country, and the implementation configures to those specifics. For EU jurisdictions, eIDAS 2.0 and the EUDI Wallet create a specific trajectory toward Verifiable Credentials format for right-to-work credentials presented across borders, which the verifiable issuance pattern supports natively.

How long does implementation take?

For employers running modern HRIS platforms (Workday, Rippling, HiBob, BambooHR, Gusto, Paychex with modern APIs), a working pilot covering one right-to-work document type can run in days. Full production rollout covering all right-to-work document types, with appropriate HR team training and audit-team familiarisation, typically takes four to eight weeks. For employers running older HRIS platforms requiring alternative integration patterns, the timeline extends but the architecture remains the same.

What does this cost?

Pricing for verifiable issuance is volume-based — based on the number of documents issued per month — rather than per-seat. For most employers, the cost per right-to-work document is meaningfully lower than the loaded cost of the audit-response work that verifiable issuance eliminates, before accounting for the residual-risk reduction. Current pricing tiers at verifydoc.ai/pricing.

Where to go from here

If you're at a US employer thinking about whether to add verifiable issuance to your I-9 workflow, the natural next reading is Verifiable Document Issuance: The 2026 Category Guide for the broader category context and Tamper-Proof Offer Letters for the closely-related HR document workflow that most employers tackle alongside right-to-work documentation.

If you're at a UK sponsor-licensed employer, the same category guide applies, plus Verifiable Employment Verification Letters and Verifiable Pay Stubs for the related employee-document categories that sponsor licence compliance reviews often examine in parallel with right-to-work documentation.

If you're at a remote-first employer building globally distributed teams in 2026, the underlying architectural case applies across every right-to-work document your team produces — and the closely-related categories (employment verification letters, offer letters, employee statements) compound the audit-readiness benefit. Issuer-Side vs Recipient-Side Document Trust is the diagnostic for placing each of your document flows on the right side of the verification problem.

If you're at an HRIS or onboarding platform considering whether to add verifiable issuance as a feature for your customers, The VerifyDoc.ai API developer guide covers the integration patterns and architectural decisions. Right-to-work documentation is one of the highest-value document categories for HRIS platforms to add verifiable issuance to, both because the audit-response use case is concrete and quantifiable for HRIS customers and because the regulatory trajectory in 2026 is pointing clearly in this direction.

The underlying structural shift is the same as in every other verifiable issuance category: the documents you issue today either carry their own proof of authenticity or they don't, and the audit, compliance review, or future demonstration of compliance is either a property of the records themselves or a project you'll have to undertake when the audit is called. Right-to-work documentation is one of the categories where the project version is most expensive — because the audit windows are long, the records are detailed, and the consequences of inadequate evidence are direct compliance risk — and the property version is correspondingly most valuable. The employers who issue right-to-work documents verifiably from 2026 forward will be the ones whose audit responses are calm; the employers who don't will be the ones whose payroll directors get the 4:50 p.m. Thursday call and spend the next three days reconstructing chains of evidence that should have been verifiable from the start.

This is the fifth article in our series on verifiable document issuance. For the foundational category context, see Verifiable Document Issuance: The 2026 Category Guide; for the buyer's diagnostic between issuer-side and recipient-side document trust, see Issuer-Side vs Recipient-Side Document Trust; for the developer-facing API guide, see The VerifyDoc.ai API; for the COI use case, see Verifiable Certificates of Insurance. The architectural distinction between VerifyDoc.ai (issuer-side issuance) and verifydoc.com (recipient-side detection) is covered in VerifyDoc.ai vs verifydoc.com: What's the Difference?.