Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 11 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A kever (key event verifier) is a core verification component in KERI protocol implementations responsible for validating key events in a Key Event Log (KEL). The kever performs cryptographic verification operations to ensure that events are properly signed, correctly ordered, and consistent with the established key state of an Autonomic Identifier (AID).
The kever plays a critical role in KERI's security architecture by serving as the gatekeeper for event acceptance. When a KERI implementation receives key events—whether inception events, rotation events, or interaction events—the kever validates multiple security properties:
Cryptographic Integrity: The kever verifies digital signatures on events using the appropriate public keys from the current or previous key state. This ensures non-repudiable attribution to the controller of the AID.
Sequential Consistency: Events must maintain proper ordering and chaining through cryptographic digests. The kever validates that each event correctly references its predecessor, maintaining the integrity of the append-only log structure.
The kever is typically implemented as a class or module within KERI libraries such as KERIpy (Python) and keriox (Rust). It maintains state about verified events and current key configurations for AIDs it tracks.
A kever implementation must:
Kevers must efficiently process event streams while maintaining security guarantees. Implementations typically cache verified key states to avoid re-verifying entire KELs for each new event.
State Transition Validity: For establishment events that change key state, the kever verifies that pre-rotation commitments are honored and that threshold requirements are met for multi-sig configurations.
Duplicity Detection: By maintaining a record of verified events, the kever can detect duplicitous behavior when multiple conflicting versions of events are presented for the same sequence number.
In the broader KERI ecosystem, kevers work in conjunction with witnesses and watchers to provide end-verifiable security. While witnesses provide receipts for events they observe, and watchers maintain copies of KERLs in promiscuous mode, the kever is the component that actually performs the cryptographic verification that makes these observations trustworthy.
The kever is essential for implementing KERI's ambient verifiability property—the ability for any party to independently verify the authenticity and integrity of an identifier's event history without relying on trusted intermediaries. This verification capability extends to ACDC credentials, where the kever validates the KEL of credential issuers to establish the root-of-trust for verifiable credentials.