Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 176 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
An issuer is a role performed by an entity that creates and cryptographically signs an ACDC (Authentic Chained Data Container) credential, asserting claims about a subject and transmitting the credential to a holder, with the issuer's AID appearing at the top level of the ACDC structure.
In the KERI/ACDC ecosystem, an issuer is a fundamental role in the verifiable credential lifecycle. An issuer is an entity (identified by an AID) that:
Every ACDC MUST have exactly one issuer, whose identifier appears in the top-level i field of the credential structure. The issuer's AID provides cryptographic proof of the credential's origin through KERI's key event infrastructure.
The issuer role is central to the ACDC trust model and credential graph architecture:
Cryptographic Binding: The issuer's AID is cryptographically bound to the credential through digital signatures. This binding is maintained even across key rotations because KERI's KEL (Key Event Log) provides verifiable proof of key state at any point in time.
Issuer Identifier Placement: The issuer's AID appears in the top-level i field of every ACDC. This field is mandatory and must reference a valid KERI AID with an associated KEL.
Signature Anchoring: Rather than signing ACDCs directly, issuers typically anchor credential SAIDs in their KEL through interaction events or rotation events. This enables credential verification even after key rotation.
Multi-Signature Issuance: For organizational issuers, the issuer AID may be a multi-sig AID requiring threshold signatures from multiple authorized representatives. This is common in vLEI Legal Entity credentials.
Delegation Patterns: In hierarchical credential systems, issuers may operate under delegated authority from a parent issuer. The GEDA (GLEIF External Delegated AID) delegates authority to QVIs, who then issue credentials to Legal Entities.
Registry Requirements: Issuers should maintain TEL registries for credentials they issue, enabling verifiers to check revocation status. The registry identifier appears in the ri field of issued ACDCs.
Credential Chaining: In ACDC's directed acyclic graph (DAG) structure, credentials can reference other credentials through edges. The issuer of a child credential may or may not be the issuee of the parent credential, depending on the edge operator used (I2I, DI2I, or NI2I).
Trust Chains: In the vLEI ecosystem, issuers form hierarchical trust chains:
Issuance vs. Presentation: The issuer role is distinct from credential presentation. In an issuance exchange, the discloser is the issuer of the origin ACDC. In a presentation exchange, the discloser may be the holder presenting credentials issued by others.
Registry Management: Issuers typically maintain Transaction Event Logs (TELs) that track the issuance and revocation state of credentials they issue, enabling verifiers to check credential status.