API teams at lending platforms are usually pulled into business verification after the underwriting team has already hit a wall. Product needs faster pre-funding checks, risk wants lien visibility, compliance wants a dated record of what was checked, and engineering is told to connect fragmented state data without spending six months on bureau approval, custom scrapers, or brittle portal logic. For a solutions engineer, API developer, integration lead, or product manager, the real deliverable is a production verification object: one request path, normalized fields, explicit response states, source evidence, and queue logic that underwriters can trust.
The clean pattern is to treat state registration and UCC data as one verification service: collect the applicant's legal name and state, resolve the entity through a Secretary of State lookup, request lien data with the same call where supported, store the source proof and request identifiers, then route low-confidence, slow, or unsupported-state outcomes to a review queue. Cobalt's Secretary of State API covers all 50 states plus DC, UCC filing data is currently available in 11 states through `uccData=true`, and Full Verification handles unknown-state searches with an async all-state workflow. The goal is not to hide edge cases. The goal is to make those edge cases explicit, logged, and easy for operations to handle.
What Should the Integration Solve Before Funding?
The integration should answer three questions for the lending workflow: is the business registered, does the registration match the application, and are there public UCC filings that change the collateral picture. UCC filings give public notice that a creditor has a secured interest in a debtor's collateral, and state UCC offices maintain filing systems that lenders search before relying on collateral.[1] State registration data is separate. It confirms the entity's legal name, status, formation date, agent, address, and officer data where a state publishes it.
What does the underwriter need from the response?
Underwriting does not need raw state portal HTML. It needs normalized fields it can route. At minimum, the response should expose legal name, normalized status, filing date, state of formation, confidence score, source URL, screenshot URL when requested, and UCC filing details when available. UCC details should include filing number, filing date, secured party, debtor, and collateral description. That allows underwriting to distinguish a clean active entity from a dissolved entity, a close name match, or a merchant with a broad prior lien.
What does compliance need from the response?
Compliance needs a reproducible record. That means request ID, timestamp, source URL, screenshot URL, input values, response status, and final routing decision. Texas, Pennsylvania, New York, and other state systems each publish their own UCC filing or search processes, which is exactly why a lender should log the source and time of each check rather than relying on a verbal "looked good" note.[2][3]
What does engineering need from the response?
Engineering needs predictable states: complete, incomplete, failed, async callback pending, retryable timeout, no match, low-confidence match, unsupported UCC state, and manual review required. Without those states, every exception becomes a Slack thread. With those states, the product can show underwriters a reason code and give support enough context to debug.
How Should Developers Model the Verification Request?
Start with the smallest reliable input contract. Require business name and state when the applicant knows the registration state. Accept entity ID when available because it is more precise than name search. Add optional address filters to reduce false positives in high-volume states. Request screenshots for final underwriting decisions, not every top-of-funnel pre-screen.
Which endpoint should you call first?
Use Cobalt's Secretary of State endpoint when the state is known:
curl --location 'https://apigateway.cobaltintelligence.com/v1/search?searchQuery=Acme%20Corp&state=delaware&liveData=true&uccData=true&screenshot=true' \
--header 'x-api-key: YOUR_COBALT_API_KEY' \
--header 'Accept: application/json'That request verifies the entity and asks for UCC data in the same response where UCC is supported. For top-of-funnel checks, set `liveData=false` to use cached data for speed, then run `liveData=true` before a final decision. For slow state lookups, include a `callbackUrl` so the workflow can continue while the state portal responds.
When should you use Full Verification?
Use Full Verification when the applicant does not know the state of registration, when the business may be registered in several states, or when the workflow needs all-state discovery. Full Verification searches all 50 states plus DC, costs 3 credits per lookup, and runs asynchronously with a 5 to 30 minute processing window. That async shape should be reflected in the product flow: initialize, poll or receive callback, show partial status, then attach completed results to the application file.
How should request payloads be normalized?
Normalize before the API call and again after it. Before the call, trim whitespace, preserve punctuation from the legal name, and avoid silently rewriting names. After the call, store Cobalt's returned legal name and state data as the verified record. UCC search quality depends on the exact debtor name. Under UCC Article 9, errors or omissions can make a financing statement seriously misleading, and a financing statement is effective for five years unless continued.[4][5]
How Should the API Response Drive Underwriting Decisions?
Do not hard-code a single pass/fail result. State registration and UCC checks are evidence inputs, not a decisioning engine. The integration should return a structured verification object that underwriting rules can evaluate.
Which fields should be stored in the system of record?
| Input or output | Cobalt parameter or field | Storage destination | Underwriting use |
|---|---|---|---|
| Submitted business name | `searchQuery` | Application record | Compare applicant input to verified legal name |
| Known state | `state` | Application record and verification log | Scope the SOS lookup and UCC coverage decision |
| Entity ID when available | `sosId` | Application record | Reduce false positives in name search |
| Live final check | `liveData=true` | Verification event | Confirm source status at decision time |
| UCC request | `uccData=true` | Verification event | Return lien data where coverage exists |
| Screenshot request | `screenshot=true` | Evidence store | Preserve point-in-time source proof |
| Callback destination | `callbackUrl` | Integration config | Handle slow state responses without blocking the UI |
| Returned confidence score | `confidenceScore` or equivalent match score | Decision record | Route high, medium, and low match quality |
| Returned filing details | `uccFilings` | Collateral review record | Review secured party, debtor, date, and collateral scope |
| Returned request ID | `requestId` | Audit log | Reconstruct the check during review |
• Identity fields. Store submitted business name, verified legal name, entity ID when available, state, formation date, entity type, registered agent, and address fields.
• Status fields. Store raw state status, normalized status, status date if available, and confidence score.
• Lien fields. Store UCC filing number, filing date, secured party, debtor name, collateral description, amendment data where present, and source state.
• Evidence fields. Store request ID, source URL, screenshot URL, timestamp, response status, and retry ID or callback event ID.
• Decision fields. Store routing rule, reason code, reviewer ID if touched by a human, final disposition, and timestamp.
These fields let product and operations answer the same question from the same record: what did the system know before funding, and why did it route the file that way?
What status logic should product teams avoid?
Avoid treating "no UCC data returned" as "no liens exist." Cobalt's UCC data covers 11 states today, while Secretary of State entity verification covers all states plus DC. If the state is outside automated UCC coverage, return `unsupported_ucc_state` or a similar reason code and route to manual UCC search. If the state is covered but the source returns no filing, store that as a covered no-match result with timestamped proof.
How should confidence scores map to queues?
A practical rule set is:
• High confidence match. Auto-clear active registrations when legal name, state, and address context align.
• Moderate confidence match. Queue for analyst comparison with possible alternatives attached.
• Low confidence match. Treat as unresolved and ask for entity ID, formation state, or documentation.
• Inactive or dissolved status. Route to fraud or enhanced review, not straight approval.
• Existing broad UCC filing. Route to underwriting for lien-position analysis and possible payoff or subordination review.
• State timeout or async pending. Keep the application open and retry or wait for callback rather than showing a terminal decline.
The queue labels matter. "Manual review" is too vague. "Low confidence SOS match" or "UCC coverage gap" tells the reviewer what to do next.
What response-state matrix should the product expose?
| State | Meaning | Product behavior |
|---|---|---|
| `complete` | Entity lookup finished and returned usable data | Evaluate status, confidence, and UCC result |
| `incomplete` | Source result exists but is missing required data | Queue for analyst review with missing-field reason |
| `retry_id_available` | Lookup needs retry or retrieval using a prior ID | Store retry ID and schedule follow-up job |
| `callback_pending` | State response moved out of the sync window | Show pending status and wait for callback |
| `no_match` | No likely entity was found | Ask for entity ID, state correction, or documentation |
| `low_confidence` | Match quality is below auto-clear threshold | Queue with possible alternatives attached |
| `unsupported_ucc_state` | SOS completed, but automated UCC is unavailable for that state | Send to manual UCC workflow |
| `manual_ucc_required` | UCC cannot be automated or result needs human interpretation | Block final approval or route based on policy |
How Do You Build an Audit Trail Without Slowing the API?
Audit trail design should be part of the first sprint, not a later compliance patch. UCC and entity verification are public-record checks, but lenders still need to show when the check happened, what source was used, and what result supported the decision.
What should be logged synchronously?
Log the request and response metadata immediately: input values, normalized input, endpoint, request ID, response status, latency, source URL, screenshot URL, and routing result. Do not treat a hosted screenshot URL as your long-term evidence store. Archive the file in your own document system when the decision is final, then keep the URL and request ID as lookup metadata.
What should be handled asynchronously?
Screenshots, slow state results, callbacks, and Full Verification outcomes can be processed asynchronously. The product should show a pending state instead of forcing the underwriter to refresh the page. For an API team, this is usually a background job plus a webhook receiver:
{
"application_id": "app_12345",
"verification_status": "pending_callback",
"source": "cobalt_sos",
"state": "oregon",
"request_id": "req_abc123",
"reason": "state_response_time_exceeded_sync_window",
"next_action": "wait_for_callback"
}How do audit logs support investors and exams?
An audit log lets the lender show that it checked the official source at the point of decision. That is especially important because U.S. company data is fragmented across state registries, not maintained in one complete national register.[6] A timestamped source record gives the file context if a borrower later changes status, files a new lien, or disputes what the lender knew.
The production rule is simple: every automated clear should be explainable from stored source data, and every exception should tell the reviewer exactly which fact is missing or risky.
How Should API Teams Handle UCC Coverage Limits?
The safest integration tells users what it can verify automatically and what still needs a separate step. That honesty prevents product, sales, and underwriting from overstating what the API did.
What should happen in supported states?
When UCC is supported, pass `uccData=true`, store the returned filings, and map lien details into underwriting review. UCC filings are public notices of secured interests, and industry guidance treats UCC searches as a core pre-funding step for understanding prior security interests.[7] For MCA, equipment finance, asset-based lending, and trade credit, existing secured parties and collateral descriptions can materially change the risk view.
What should happen in unsupported states?
Return a clear reason code and route the application to a manual UCC step:
• `ucc_supported=false`. The state is outside current automated UCC coverage.
• `entity_verified=true`. SOS verification still completed successfully.
• `manual_ucc_required=true`. A human or alternate provider must search the state's UCC index.
• `funding_block=false`. Product can decide whether this blocks funding or only blocks final approval.
• `audit_note`. Store that UCC was not automated for this state.
This preserves the value of the SOS verification without pretending the lien search was complete.
How should you communicate state fees and source differences?
Expose state-specific source restrictions in the integration docs and application logs. State portals differ in response time, available fields, officer data, document access, and fee behavior. If the API response includes a state-specific caveat or charge, surface it to operations. Hiding state variation creates support tickets later.
How Do You Avoid Building a Fragile State-Scraper Project?
A developer team can write a scraper for one state quickly. Maintaining 50 state integrations is a different problem. State sites change forms, search behavior, captchas, fees, field labels, and uptime. That is why API teams should evaluate whether they are building a product feature or inheriting a registry maintenance function. The secured finance industry has made the same API argument for UCC operations: when data already lives in a loan system, an API can move that data directly into filing or search workflows and reduce re-keying errors.[10]
What are the build risks?
The build risks are not only engineering hours. They include data normalization, monitoring, state-by-state test fixtures, field mapping, retry strategy, screenshot capture, portal break detection, and support escalation when a state page changes. State UCC portals also differ by process. Texas, for example, moved UCC activity into an SOS Portal workflow and publishes separate filing instructions for users.[2][8]
Where do competitors fit?
Teams may compare four paths:
• Manual state portals. Lowest software cost, highest labor cost, weakest audit consistency.
• Broad KYB platforms. Useful when the buyer wants a larger onboarding suite, but not always built around lender-specific lien routing.
• UCC service providers. Strong for filing operations and search services, especially for legal and secured-finance teams that need managed UCC work.
• Cobalt's state-source API. Best fit when the product team needs direct API access to normalized SOS data, screenshot evidence, lender workflow fields, and UCC data where supported.
CSC and Wolters Kluwer have deep UCC operations content. Middesk and other KYB providers frame Secretary of State APIs as a way to reduce manual business verification work.[9] The key technical question is fit: do you need broad KYB onboarding, UCC operating services, or a developer-oriented state-source verification API that can return normalized entity data, screenshot proof, and UCC data where supported?
What is Cobalt's technical fit?
Cobalt fits teams that want direct API access to primary-source state verification, normalized state data, screenshot evidence, and practical routing for lender workflows. The SOS API uses `GET /v1/search`, supports business name, entity ID, person-name search, address filters, cached or live mode, screenshots, callback handling, and UCC data via `uccData=true`. The Full Verification API supports unknown-state searches through an async all-state process. For a broader lender architecture view, see Cobalt's business verification APIs guide and the UCC Filing API resource for lenders.
How Should You Roll This Out From Sandbox to Production?
Treat verification as a workflow launch, not just an endpoint launch. Product, risk, compliance, and engineering should agree on test cases before live traffic starts.
Which test cases should be required?
Start with a small fixture set:
• Exact active match. Known legal name and state returns a high-confidence active entity.
• Name variation. DBA, punctuation difference, or abbreviation returns alternatives.
• Inactive entity. Dissolved or inactive status routes to enhanced review.
• Supported-state UCC hit. Existing filing returns secured party and collateral fields.
• Supported-state UCC no-hit. Covered state returns no filings and logs proof.
• Unsupported-state UCC. Entity verification completes, UCC routes to manual search.
• Slow state callback. Request returns pending and later completes through callback or retry.
• Unknown state. Full Verification initializes and later returns state matches.
If the team cannot explain what each fixture should do, the production workflow is not ready.
What should observability include?
Track success rate, timeout rate, callback completion rate, state-level latency, unsupported UCC state volume, low-confidence match volume, manual review rate, and reviewer override rate. This gives product managers a real picture of friction instead of only aggregate API volume. It also helps account teams explain state-specific behavior when a customer asks why one state takes longer than another.
What should go in the launch checklist?
The launch checklist should include API key storage, retry policy, webhook authentication on your receiver, screenshot archival, request ID logging, state caveat handling, manual queue labels, customer-facing reason codes, and a rollback path. Do not let the first failed state lookup define the error model.
What Is the Practical Architecture?
For API teams, the answer is technical. Lenders verify UCC filings and state registrations automatically by integrating a state-source verification API into the underwriting workflow, using the Secretary of State lookup as the entity resolver, adding UCC data where coverage exists, storing audit evidence, and routing unsupported or uncertain outcomes to review. The win is not a prettier lookup screen. It is a stable integration contract that turns fragmented public records into a normalized verification object underwriters can use.
This is also where the developer experience matters. Clear parameters, predictable response states, test modes, callback handling, normalized fields, and evidence URLs reduce implementation drag. The lender gets faster pre-funding checks. Engineering gets a narrow integration surface. Compliance gets a dated record. Operations gets a queue that says what is wrong instead of asking reviewers to start from scratch.
For the business-side version of this workflow, read How Do Lenders Verify UCC Filings and State Registrations Automatically?. For deeper state-source reliability planning, read SOS API Reliability: How Cobalt Handles State Portal Outages.
Schedule a free demo to test a live UCC and state registration verification workflow with your own integration team.
.jpg){kind=small}
.png)