Loading vLEI.wiki
Fetching knowledge base...
Fetching knowledge base...
This comprehensive explanation has been generated from 172 GitHub source documents. All source documents are searchable here.
Last updated: October 7, 2025
This content is meant to be consumed by AI agents via MCP. Click here to get the MCP configuration.
Note: In rare cases it may contain LLM hallucinations.
For authoritative documentation, please consult the official GLEIF vLEI trainings and the ToIP Glossary.
A digital credential that exists exclusively in electronic form without a physical counterpart, issued, stored, and shared electronically. In the KERI/ACDC ecosystem, virtual credentials are implemented as ACDCs (Authentic Chained Data Containers) that provide cryptographically verifiable, chainable credentials with graduated disclosure capabilities.
A virtual credential is a digital representation of claims or identity attributes that exists purely in electronic form, designed for online environments without requiring physical manifestation. Virtual credentials are issued, stored, and shared electronically, representing everything from professional certifications to organizational roles to legal entity identities.
In the KERI/ACDC ecosystem, virtual credentials are implemented as Authentic Chained Data Containers (ACDCs) - cryptographically verifiable data structures that provide proof-of-authorship and can be chained together to form directed acyclic graphs (DAGs) of verifiable provenance.
Virtual credentials in KERI are fundamentally different from traditional verifiable credentials because they leverage KERI's autonomic identifier (AID) infrastructure and key event logs (KELs) for their security model. Each ACDC credential:
Virtual credentials in KERI utilize Transaction Event Logs (TELs) for credential lifecycle management:
Issuance: Virtual credentials are issued by creating an ACDC with the issuer's AID, signing it with current authoritative keys, and anchoring the issuance event to a TEL through a KEL interaction or rotation event.
Storage: Credentials are stored in credential databases as part of KERI wallets, which maintain keystores, local KEL databases, remote KEL databases, and credential databases.
Presentation: Credentials are presented through the IPEX (Issuance and Presentation Exchange) protocol, which supports graduated disclosure and contractually protected disclosure mechanisms.
Revocation: Credential status changes are recorded in the VC TEL, with revocation events anchored to the issuer's KEL for cryptographic verification.
The dual-TEL architecture separates concerns:
This separation enables scalability and allows different backing mechanisms (witnesses vs. ledger registrars) for different credential types.
This dual-TEL architecture enables public verifiable credential registries where credential status can be verified without requiring centralized infrastructure.
The verifiable Legal Entity Identifier (vLEI) ecosystem demonstrates virtual credentials at scale:
Each credential type chains to its prerequisite credentials through ACDC edges, creating a hierarchical trust model rooted in GLEIF's authority.
Cryptographic Chaining: Unlike isolated credentials, ACDC virtual credentials can reference other credentials through cryptographic commitments, enabling complex authorization chains and delegated authority models.
Privacy-Preserving Disclosure: The graduated disclosure mechanism allows credential holders to reveal only necessary information:
End-Verifiable Security: Virtual credentials inherit KERI's end-verifiable security model, where any party can independently verify credential authenticity by validating signatures against the issuer's KEL without requiring trusted intermediaries.