Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 196 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A cloud agent is software installed on cloud server instances that provides security, monitoring, and analysis solutions for cloud infrastructure, enabling information gathering and control over cloud entities without requiring direct active management by the user.
A cloud agent is software deployed on cloud server instances that provides security, monitoring, and analysis capabilities for cloud-based infrastructure. In the KERI ecosystem context, cloud agents specifically refer to implementations like KERIA (KERI Agent in the cloud) that manage AIDs (Autonomic Identifiers) and perform cryptographic operations on behalf of controllers while maintaining strict security boundaries.
Key characteristics of cloud agents include:
Within the KERI architecture, cloud agents serve a critical role in enabling practical, scalable identity management while preserving the protocol's security guarantees. The most prominent implementation is KERIA, which provides a multi-tenant cloud-based agent service that:
Separates Key Management from Operations: Cloud agents in KERI implement an "edge signing" model where private keys never reside on the cloud infrastructure. Instead, keys are managed by client-side libraries like Signify, which perform cryptographic signing operations locally before transmitting signed events to the cloud agent.
Provides Three-Interface Architecture: KERIA exposes distinct HTTP endpoints for different security contexts:
Security Architecture: Cloud agents in KERI implement a zero-trust model where private keys never exist on the cloud infrastructure. All signing operations occur client-side using libraries like Signify, with only signed events transmitted to the cloud agent. This architecture prevents the cloud provider from accessing key material even if the infrastructure is compromised.
Multi-Tenancy: Cloud agents like KERIA support multiple users (tenants) on a single instance, with each user's AIDs isolated in separate Hab (keystore) instances. The Habery manages the collection of Habs and ensures proper isolation between tenants.
Asynchronous Operations: Cloud agents handle asynchronous message routing, witness coordination, and KEL synchronization. Operations like multisig coordination may require waiting for signatures from multiple participants, which cloud agents manage through escrow mechanisms and notification systems.
Deployment Considerations: Production deployments should disable the Boot Interface after initial setup, expose only Admin and Protocol interfaces externally, and implement proper authentication using KRAM (KERI Request Authentication Method) for all API requests.
Custodial Patterns: Cloud agents enable custodial key management through partial rotation, where signing authority is delegated to the agent while rotation authority remains with the controller. This allows professional hosting services while preserving user sovereignty.
Enables Custodial Patterns: Cloud agents support custodial rotation scenarios where signing authority is delegated to the agent while rotation authority remains with the controller. This enables professional hosting services without centralizing control.
Manages Distributed Operations: Cloud agents coordinate with witnesses, watchers, and other KERI infrastructure components, handling asynchronous message routing, KEL synchronization, and OOBI resolution.
Supports Multi-Tenancy: A single cloud agent instance can manage multiple AIDs for different users, with each AID's data isolated in separate keystores (Habs) managed by a Habery.
The cloud agent architecture addresses the practical reality that most users prefer not to manage their own infrastructure while still maintaining the security properties that make KERI viable for high-assurance applications. By keeping private keys at the edge and using cloud agents only for coordination and availability, KERI achieves a balance between usability and security that enables mainstream adoption.