Cannabis State Reporting in 2026: Metrc, BioTrack, MJ Platform, and the Procurement Layer

Every cannabis state runs a different seed-to-sale system. Metrc dominates — by 2026 it covers more than 20 adult-use and medical states — but the long tail still matters: BioTrack in Washington and parts of the Northeast, LeafLogix MJ Platform in Massachusetts, the state-run Cannabis Tracking System in New York for a window before its Metrc transition, and a few legacy state-operated systems hanging on in older medical programs. The operator’s problem is that none of these systems were designed to be your procurement system. They were designed to be the regulator’s system of record.

This guide is for the multi-state dispensary operator (or the single-state owner thinking about a second license) trying to understand: which state runs which system, what the procurement gap looks like in each, and how a procurement-and-compliance layer sits cleanly on top without replacing checkout or filing.

If your team currently jumps between three tabs every time a delivery arrives — POS, state seed-to-sale, spreadsheet — and the spreadsheet always wins because the other two don’t talk to each other, this is for you.

What the state system actually does

Every cannabis seed-to-sale system is built around three primitives:

1. Packages. Every unit of cannabis in your state exists as a package with a unique tag, an item type, a quantity, and a chain of custody.
2. Transfers. Movements of packages between licensed entities (cultivator → distributor → dispensary) are filed as manifests with shipped quantities, source license, destination license, vehicle, driver, and route.
3. Lab tests. Each package is associated with one or more lab test results that determine whether it’s legal to sell.

The state system holds the source of truth for all three. Your job as an operator is to push your physical reality back into that system — when you receive, when you adjust, when you destroy, when you sell. The system is your buying system, your inventory system, or your POS. It is the regulator’s ledger.

The procurement gap is everything that lives in between: choosing what to reorder, capturing vendor licenses with expiry, storing the COA against the specific lot you sold, picking which lot to depleting first under FEFO, and answering “which units of this recalled batch are still on a shelf and which sold” at audit time.

State-by-state at a glance

Metrc states (the majority)

Adult-use: Alaska, Arizona, California, Colorado, Connecticut, Illinois, Maine, Maryland, Massachusetts (medical only on Metrc historically; adult-use moved), Michigan, Missouri, Montana, Nevada, New Jersey, New Mexico, New York (adult-use moved to Metrc), Ohio, Oregon, Rhode Island, South Dakota (medical), Vermont. Plus a long tail of medical-only programs.

The Metrc API is now on v2 endpoints for transfers, packages, and lab tests. The wire-level conventions that matter for any vendor integration:

• Every v2 endpoint returns a {Data: [...]} envelope.
• Transfer and delivery endpoints require licenseNumber as a query param.
• Lab test results are looked up by packageId on /labtests/v2/results, not by package label.
• The User Key is per-operator, per-state. The Vendor Key is per-software-vendor, per-state, per-environment (sandbox vs production).

A procurement-compliance layer wired to Metrc should: persist your license number on the connection at connect time, separate sandbox and production vendor keys, pull manifests in a single call with all packages + lab tests + pricing, and POST per-package decisions before any local inventory write.

BioTrack states

Washington uses BioTrack’s state traceability system (post-MJ Freeway transition). Hawaii, the Virgin Islands, and Illinois Medical also have BioTrack heritage. Delaware, North Dakota, Puerto Rico, and a few others have used BioTrack in various roles.

BioTrack’s receive shape is similar in spirit — package tags, manifests, lab tests — but the API conventions differ. The bulletin-aligned posture (Reject and Adjust over partial-receive) is still the right operator default, even if BioTrack’s UI presents partial differently from Metrc’s.

Massachusetts (LeafLogix MJ Platform)

MA historically ran on Metrc for medical and MJ Platform for adult-use; the lines have blurred. The procurement gap is identical: licenses live in inboxes, COAs live in folders, and the POS doesn’t care about either.

Legacy and transitional systems

A handful of older medical programs still run state-built or vendor-built systems that pre-date the Metrc consolidation. Operators in those states tend to do the most spreadsheet work because the integration ecosystem is thin.

The procurement gap is the same across every state

Different APIs, same operator pain:

1. Licenses live in inboxes. No state system stores your supplier’s license details with expiry, jurisdiction, and a renewal alert. Two months after the manager who managed the supplier file leaves, the file is gone.

2. COAs are tied to vendors, not lots. State systems hold a reference to the lab test on the package, but most POS and inventory systems store the COA against the vendor record — losing the lot specificity that recall response actually needs.

3. Receiving accepts what you tell it to. Standard POS receive screens are “enter quantity, click save.” They don’t enforce that a regulated item requires a COA, a vendor license, and a manifest before the receive can complete.

4. Variance reconciliation runs weekly, not at receipt. Most operators receive in their POS first, file with the state later, and reconcile drift in a weekly review. By the time drift is found, the reason for it is lost.

5. Lot-level expiry is nowhere. No state system pushes expiration data into your POS. Without expiry on the inventory layer, FEFO picking is impossible — and write-offs accumulate week after week.

A procurement-and-compliance layer solves all five at the receive screen, before they become end-of-cycle reconciliation work.

What the procurement layer should do (state-system-agnostic)

The right shape, regardless of which state system you file with:

1. One receive form. Lot rows on the form, with Shipped + Adjustment + Net received per row. Variance note attaches to the lot. Per-package Accept / Accept + Adjust / Reject. The state-pull for the manifest pre-fills the lot rows.

2. Vendor license capture and expiry alerts. Every supplier’s license number, type, jurisdiction, issue date, and expiry date. Renewal alerts fire 30 days before lapse so you can chase the new copy before a receipt is blocked.

3. COA on the lot, not the vendor. When the lab test is pulled from the state system, it saves against the package label (the lot). Future “show me the COA for what we sold on date X” queries become one click.

4. Per-item document requirements. Catalog setting per SKU — COA required, manifest required, vendor license required. Receive is blocked until the documents are attached and verified by a manager.

5. Strict ack against the state system. Per-package decisions POST to the state before the local inventory write commits. If the state rejects, the local receive aborts.

6. Audit trail in the compliance document. Every state outcome, every reject reason, every adjust note appends to the manifest doc’s structured fields. The inventory_layers row stays clean; the audit lives in the doc.

That shape works on Metrc, BioTrack, MJ Platform, or any future state-built system. The state-specific code is the API client; the operator UX is the same.

What this looks like in LineNow

LineNow currently ships native Metrc integration (v2). The pieces:

• Compliance Reporting card on the buyer home page — connect with your User Key + state, license number persisted on the connection at connect time, sandbox / production environments wired separately.
• One-paste manifest State Pull in the Compliance dialog. Packages, shipped quantities, vendor licenses, COA references, and pricing pulled in one call.
• Symmetric Shipped + Adjustment + Net received UX on every regulated lot — buyer-managed and state-pulled lots both render the same shape.
• Per-package decisions (Accept / Accept + Adjust / Reject) POSTed to Metrc before the local commit. The IL_IB_0003 Transfers Best Practices bulletin baked into the UI — no partial-receive shortcut.
• COA State Pull by package ID on Metrc’s /labtests/v2/results endpoint. Lab test results saved against the package label.
• Compliance document audit. Manifest outcomes append to extractedFields; non-Metrc regulated receipts write standalone other documents with variance notes.

For non-Metrc states (BioTrack, MJ Platform, legacy systems), the same Receive UX runs minus the state POST. Vendor license tracking, COA-on-the-lot, FEFO picking, document-blocked receive, and audit history all work without a state connection. Operators in those states get the procurement-and-compliance loop today and pick up state filing automation when the integration ships for their system.

Multi-state operator math

If you run dispensaries across two or three states, you’re running two or three state systems (often Metrc + Metrc + BioTrack, or Metrc + MJ Platform). The procurement layer should normalize the operator experience above the state-system difference: the buyer in Oregon and the buyer in Washington should see the same Receive screen, the same vendor license expiry dashboard, the same FEFO picking, the same audit-ready receipt history. State-system specifics live below the line where the operator doesn’t care.

That normalization is the multi-state operator’s single biggest lever for training, audit consistency, and SOPs. A single Receive flow across every state beats five state-specific SOPs every time.

A 60-second state-reporting diagnostic

Three questions:

1. When the state inspector asks for “every package received from supplier X with a failed heavy-metal test in the last 12 months,” can your team answer in one query — or does it require pulling the report from the state system, the COA folder from Drive, and matching by lot? Multi-source = your compliance archive is open.
2. When you Adjust a package quantity, does the variance reason flow from the receive form into the state Adjust call automatically — or does someone retype it in the state portal? Retype = the reason will drift.
3. When a supplier’s license is 30 days from expiry, does someone get an alert — or do you discover it at the next receive that gets blocked? Discover at block = your renewal queue is open.

If any of those is wrong, the state-reporting loop is open. The work you do in those gaps is the work the procurement-and-compliance layer eliminates.

Related

• Procurement for Cannabis, CBD, and Medical Retailers
• Why Cannabis Retailers Layer LineNow on Lightspeed
• Metrc Receive: How One-Paste Manifest State Pull Should Actually Work
• Metrc Adjust vs Reject: What the IL_IB_0003 Bulletin Actually Says
• Closed-Loop Procurement, in Plain English