Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 70 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
An operator is an optional field within the Edge section of an ACDC (Authentic Chained Data Container) that defines logical relationships and validation rules between connected credentials in a directed acyclic graph (DAG). Operators enable sophisticated graph traversal logic and authorization chains by specifying how credentials must relate to each other.
Operators are fundamental to ACDC's implementation as labeled property graph fragments. When ACDCs chain together through edges to form verifiable credential graphs, operators define the semantic relationship constraints that must hold between the issuer and issuee of connected credentials.
The ACDC specification defines three core unary operators:
I2I (Issuer-to-Issuee): The default operator requiring the issuer of a child credential to be the issuee (subject) of the parent credential. This creates a strict chain of authority where credentials flow from one entity to another based on their role as the subject of a previous credential.
DI2I (Delegated-Issuer-to-Issuee): Extends I2I to allow either the root AID or a delegated AID of the parent credential's issuee to issue the child credential. This enables security through the single responsibility pattern while maintaining flexibility for organizational structures.
NI2I (Not-Issuer-to-Issuee): A permissive operator allowing any identifier to chain a child credential to a parent credential regardless of relationship. This supports referencing or linking to other ACDCs for context without implying delegated authority.
Default Behavior: In KERIpy (the reference implementation), I2I is the implicit default operator when no operator field is specified in an edge definition.
Validation Logic: Verifiers must implement operator-specific validation logic that checks the relationship between the issuer AID of the child credential and the issuee AID of the parent credential according to the operator type.
Known Issues: As of the documented training materials, the NI2I operator has a known bug (GitHub issue #1040 in keripy) that causes credential creation to hang indefinitely. Developers should avoid using NI2I until this issue is resolved.
Operator Extensibility: The operator field supports both unary and m-ary operations, enabling future extension to complex logical operators (AND, OR, NOT) across edge groups for sophisticated authorization scenarios.
Edge Group Operations: When using m-ary operators, the operator applies logic across multiple edges simultaneously, enabling validation scenarios like "credential valid if ANY of these parent credentials exist" or "credential valid only if ALL parent credentials exist."
Operators can function in two modes:
The operator field enables expression of sophisticated authorization logic including AND, OR, and NOT operations across multiple credential chains, supporting use cases like:
Edge: The top-level field map containing operator definitions
ACDC: The credential structure that uses operators for chaining
SAID: Self-addressing identifiers used to reference credentials in edge definitions