Why we use SHA-256 hashing for passport records — and what it actually proves

Every AI Verified Passport has a forensic hash — a SHA-256 string that looks something like `a3f8c2...`. We get questions about what this actually does, so here's a plain-language explanation. SHA-256 is a one-way cryptographic hash function. You feed it an input (in our case, your business identity record at the moment of verification), and it produces a fixed-length string. The same input always produces the same hash. A different input — even one character different — produces a completely different hash. What this means for your passport: the hash is a tamper-evident seal on your identity record at the time of verification. If someone claims your business is registered at a different address, or with a different company number, than what's in your passport, the hash won't match. The mismatch is proof that the record has changed. **What it doesn't prove** It doesn't prove the underlying data was accurate when the passport was issued. If you registered with incorrect information, the hash seals in the incorrect information. The hash proves consistency over time, not accuracy at the point of origin. It also doesn't prove your business is legitimate in any broader sense. It proves your identity record is internally consistent and hasn't been tampered with since verification. That's a narrower claim than "this business is trustworthy" — but it's a claim we can actually make and stand behind. **Why this matters for AI systems** AI systems that are trying to decide whether to cite a business benefit from signals that are hard to fake. A SHA-256 hash on a public registry record is harder to fake than a self-reported business description. That's the signal we're providing.