API · Conventions
Incorporator protocol
Cryptographic proof of an entity's birth. The founder is the named incorporator; the IncorporatorReceipt records who signed, on what legal basis, with what acknowledgements. Verifiable offline.
Last updated
TL;DR
The founder named at entity.incorporator_stakeholder_id signs the
Certificate of Incorporation — Matter never signs as incorporator. The birth
of the entity is recorded as an IncorporatorReceipt (rcp_…): an
Ed25519-signed JSON document carrying the signer, the legal basis
(wet_signature / esra_consent / ueta_electronic_agent), and either the
human's consent_record or the agent's agent_authority chain. The receipt
is verifiable offline using Matter's published platform-witness public key.
Live-mode and test-mode receipts are signed under separate root keys.
After reading this page you'll know what the receipt contains, why the founder is the named incorporator, how to fetch a receipt, and how to verify its signature in five lines of code without calling the API.
Why this exists
Delaware (and every other US state) requires a named incorporator to file the Certificate of Incorporation. DGCL §103 names the incorporator as the natural person who executes the certificate. With Matter, that natural person is always the founder.
The receipt is the cryptographic record of that signing event: who signed, on what legal basis, with what acknowledgements affirmed, against which canonical document hash. The chain is bound by an Ed25519 signature so any external party (regulator, investor, acquirer, due-diligence agent) can verify the entity's birth without trusting Matter's API.
What's in the receipt
{
"id": "rcp_8sQp4LbR",
"object": "incorporator_receipt",
"entity_id": "ent_Nq3KcAbc",
"version": 1,
"filed_at": 1745539200,
"livemode": true,
"signer_stakeholder_id": "stk_jane_7Hpx9WxY",
"signer_basis": "ueta_electronic_agent",
"agent_authority": {
"token_id": "tok_4Kj2m8pQ",
"principal_human_id": "usr_4Kj2m8pQ",
"agent_id": "agt_paralegal_v2",
"acknowledgements": [
{
"slug": "incorporator_signature_authorized",
"version": "2026-04-01",
"accepted_by_stakeholder_id": "stk_jane_7Hpx9WxY",
"accepted_at": 1745539100
},
{
"slug": "formation_is_legally_binding",
"version": "2026-04-01",
"accepted_by_stakeholder_id": "stk_jane_7Hpx9WxY",
"accepted_at": 1745539100
}
],
"standing_policy_id": "pol_studio_default"
},
"consent_record": null,
"incorporator_identity": null,
"transferred_at": null,
"transferred_to_stakeholder_id": null,
"signature_algorithm": "Ed25519",
"signature": "a3f2…b9c1",
"signing_key_fingerprint": "sha256:9f86d081884c7d659a2feaa0c55ad015a3bf4f1b2b0b822cd15d6c15b0f00a08",
"disclaimer": {
"text": "Matter is a software platform, not a law firm. Matter does not provide legal, tax, or securities advice. The customer is solely responsible for the legal and tax consequences of this action and should consult qualified professionals before proceeding.",
"version": "2026-04-01",
"source": "ueta_matter_v1",
"marketing_disclosure_url": "https://mattermode.com/legal/disclosures"
}
}The signature covers a deterministic, key-sorted, whitespace-free JSON
serialization of every field above except signature itself. Modify any
field — even whitespace — and the signature is invalidated.
The receipt above is for an agent-led formation. For a human-signed formation,
signer_basis: "esra_consent" and consent_record is populated instead of
agent_authority.
Legacy receipts
Receipts issued before the founder-as-incorporator pivot recorded
incorporator_identity: "Matter Incorporators, LLC (DE)",
transferred_at: <unix>, and transferred_to_stakeholder_id: stk_…. New
receipts always set those three fields to null. Verifiers must accept both
shapes for backward compatibility — signer_stakeholder_id is the
authoritative field on new receipts.
Why the founder is the incorporator (and not Matter)
Three reasons.
- Legal posture. Matter is a software platform, not a law firm. Acting as the named incorporator at scale concentrates UPL exposure and unwanted fiduciary surface on Matter. The founder being the incorporator keeps Matter unambiguously a software facilitator. See legal basis.
- Risk allocation. The named incorporator bears the legal consequences of the filing. With the founder as incorporator, formation risk attaches to the customer, where it belongs — Matter facilitates the technical execution of a customer-directed action.
- Distribution. Embedded fintech integrators (Brex, Mercury, Gusto) have a cleaner story when their customer is the named incorporator on the cert rather than a third-party platform.
How signature capture happens
Two rails, both producing the same receipt shape:
- Rail 1 — Human signature. The founder signs via the matter_native signing
envelope (Shape 1, magic link) or via a
SigningSessionbearer (Shape 2, used by SDK and Claude flows). Captures ESRA disclosure (E-SIGN Act §101(c)), Clerk-authenticated identity, IP, user agent, and the typed intent string. Receipt:signer_basis: "esra_consent",consent_recordpopulated. - Rail 2 — Agent-authorized signature under UETA §14. A tier-3 or tier-4
token whose
allow[]permitsentities.submitand which pre-affirmedincorporator_signature_authorizedat creation may sign on the founder's behalf. Receipt:signer_basis: "ueta_electronic_agent",agent_authoritypopulated with the token, principal, agent, acknowledgements, and standing policy reference.
Both rails write the same canonical receipt body, signed with the same platform-witness key family. Verifiers do not need to know which rail produced the signature — just that the signature validates.
Live and test mode use separate keys
| Mode | Signing key family | Public key URL |
|---|---|---|
livemode: true | matter:platform-witness:ed25519:<YYYY-MM> | https://mattermode.com/.well-known/platform-witness-keys.json |
livemode: false | matter:platform-witness-test:ed25519:<YYYY-MM> | https://mattermode.com/.well-known/platform-witness-keys-test.json |
Test-mode receipts sign under a deliberately-separate root. A test-mode receipt
cannot be replayed against live mode, and a verifier configured for live mode
will reject every test-mode receipt as a hard error (unknown_key_id). This is
not a misconfiguration to work around — it's a security boundary.
Keys rotate monthly. Old keys remain published for verification of historical receipts indefinitely.
Fetching a receipt
curl https://api.mattermode.com/v1/incorporator_receipts/rcp_8sQp4LbR \
-H "Authorization: Bearer $MATTER_KEY" \
-H "Matter-Version: 2026-05-01"The receipt is also embedded in the entity.registered webhook event so you
don't have to round-trip if you already subscribe to that event.
Verifying offline
The whole point: you don't need to call Matter to trust a receipt. The verification is five steps in any language with an Ed25519 library.
import { verify } from "@noble/ed25519";
async function verifyReceipt(receipt: IncorporatorReceipt, publicKeyHex: string) {
// 1. Strip the signature out, sort keys deterministically, JSON-stringify with
// no whitespace. This is the "canonical encoding."
const { signature, ...payload } = receipt;
const canonical = canonicalJSON(payload);
// 2. Look up the public key in the Matter-published JWK set by
// `signing_key_fingerprint`. (Or trust your locally-cached copy.)
const pubKey = Buffer.from(publicKeyHex, "hex");
const sig = Buffer.from(receipt.signature, "hex");
// 3. Verify the Ed25519 signature against the canonical body.
const ok = await verify(sig, new TextEncoder().encode(canonical), pubKey);
if (!ok) throw new Error("Invalid signature");
// 4. Branch on signer_basis and validate the corresponding scaffolding:
// - "esra_consent" → consent_record is non-null and carries esra_disclosure_version
// - "ueta_electronic_agent" → agent_authority is non-null and includes
// "incorporator_signature_authorized" in acknowledgements
// - "wet_signature" → consent_record and agent_authority both null
validateSignerScaffolding(receipt);
// 5. Confirm the named incorporator stakeholder matches the entity's
// incorporator_stakeholder_id (cross-fetch entity if you don't trust local).
return true;
}The cookbook walks through this end-to-end with a Python and Go implementation
and shows the full canonicalJSON definition: see
Verify an incorporator receipt.
When to verify
- At due diligence. A verifier reviewing one of your portfolio entities can confirm the founder signed the cert without trusting your dashboard.
- At an acquisition. An acquirer can confirm the target's existence chain before committing to the term sheet.
- At any time by your own audit pipeline. Cache the public-key JWK set; a weekly cron is more than enough.
You do not need to verify on every entity read — the API already does that on its end. Verify when an external party would otherwise have to take Matter's word for it.
Errors
| Error | Cause | Recovery |
|---|---|---|
404 incorporator_receipt_not_yet_issued | Entity is in draft or submitted — the receipt is generated only on entity.registered. | Wait for the incorporator_receipt.issued webhook. |
409 entity_not_matter_witnessed | The entity was migrated into Matter from a foreign source (rare); no receipt exists. | Use the historical paper trail from the source registry. |
410 receipt_superseded | A correction filing reissued the receipt under a new version. | Read current_receipt_id on the response and fetch that. |
Related
- Legal basis — the two signing rails, UETA §14 doctrine, where customer risk attaches.
- Verify an incorporator receipt — full offline verifier in three languages.
- Form a company — human-led formation.
- Form an entity with an agent — agent-led formation under standing UETA §14 consent.
- Webhook ordering —
incorporator_receipt.issuedarrives afterentity.state_changed → registered. - Lifecycle — the state transition that triggers receipt issuance.
- Test mode — how the test-mode key hierarchy is isolated.