KERI & vLEI Concepts

In KERI protocol, `qry` is a message type abbreviation for 'query' operations that enable controllers to request information about identifier states, key events, and other protocol-relevant data from witnesses, watchers, or other KERI infrastructure components.

A signer is a CESR primitive that represents a private key and has the ability to create indexed signatures (Sigers) and non-indexed signatures (Cigars) for cryptographic signing operations in KERI.

Comprehensive explanation available

A persistent data structure in KERI/ACDC is an append-only, immutable verifiable data structure where signed content cannot be modified, enabling distributed verification and concurrency-friendly operations through cryptographic commitments that preserve data integrity across time and systems.

In KERI's multi-signature threshold schemes, weight is a numerical value assigned to each signing key in a weighted threshold configuration, enabling flexible authorization policies where different keys contribute different amounts toward satisfying the signing threshold requirement.

Unpredictable information measured in bits that serves as a secret or input to key generation algorithms, providing the cryptographic strength necessary for secure identifier creation and key management in KERI systems.

Partial disclosure is a graduated disclosure mechanism in ACDC that reveals only selected field maps from a nested attribute tree structure while keeping others compact (represented by their SAIDs), enabling privacy-preserving credential presentations where specific branches can be disclosed or withheld based on verifier requirements and disclosure policies.

In KERI/ACDC, a payload refers to the meaningful data content within a message or data structure, as distinguished from the cryptographic and structural overhead required to transmit, verify, or process it. Payloads in KERI are strictly limited to cryptographic building blocks: content digest hashes, Merkle tree root hashes, or public keys.

bis (backed vc issue) is a registry-backed transaction event log credential issuance operation in KERI that records the issuance of a verifiable credential by anchoring the issuance event to both the issuer's KEL and a TEL registry, providing cryptographic proof of credential creation and enabling subsequent revocation tracking.

A seal is a cryptographic commitment in the form of a digest or hash tree root that anchors arbitrary data or a tree of hashes to a specific event in a key event sequence, creating a verifiable binding between the event and external data without embedding the full data in the event itself.

A delegated identifier is a KERI [AID](/concept/aid) whose control authority is cryptographically delegated from another identifier (the delegator), requiring cooperative participation from both delegator and delegate through mutual cryptographic commitments in their respective [KELs](/concept/kel), enabling hierarchical trust structures with built-in compromise recovery.

KERIA (KERI Agent in the cloud) is a multi-tenant cloud-based agent implementation for the KERI protocol that provides agency services for managing Autonomic Identifiers (AIDs), credentials, and key event operations while maintaining strict separation of private key material from cloud infrastructure through edge-based signing.

A Hab (Habitat) is a keystore data structure in KERI implementations that manages cryptographic key material and state for a single Autonomic Identifier (AID), implemented in KERIpy using LMDB for persistent storage of private keys, public keys, key event logs, and all associated identifier data.

Authentic data is data that possesses both cryptographically verifiable integrity (the data is whole, sound, and unimpaired) and verifiable provenance (the data has a documented, cryptographically traceable origin and history).

The property of an identifier or digital asset that enables control authority to be transferred from one controller to another in an unobstructed, loss-less manner through cryptographic key rotation, maintaining identifier continuity while changing the controlling keys.

The KERI Command Line Interface (KLI) is a comprehensive command-line tool for interacting with the KERI protocol, providing operations for creating and managing Autonomic Identifiers (AIDs), cryptographic keys, Key Event Logs (KELs), delegated identifiers, multi-signature groups, and infrastructure components including witnesses, watchers, and cloud agents.

Reputation is consistent behavior over time on the basis of which anyone else makes near-future decisions. In decentralized identity systems, reputation represents behavioral trust patterns that complement cryptographic attributional trust, enabling trust decisions based on observed historical conduct rather than solely on cryptographic verification.

A systematic organizational structure for grouping related identifiers and resources, providing a hierarchical or logical framework for managing identifier spaces and their associated attributes within identity systems.

Signify is a client-side implementation library for KERI that performs key generation and event signing at the edge (client-side) while delegating other KERI agent functions to remote cloud services, ensuring private keys never exist on or are accessible by cloud infrastructure.

Sally is a purpose-built verification service and reporting server for the vLEI ecosystem that receives credential presentations and revocation notices, verifies their structural and cryptographic integrity, and forwards validated data via HTTP POST to configured webhook URLs, enabling the GLEIF Reporting API to track which vLEIs have been issued to Legal Entities.

Selective disclosure is a privacy-preserving mechanism in ACDC credentials that enables holders to reveal only specific attributes from a selectively disclosable set while keeping others cryptographically blinded, using an aggregator-based cryptographic primitive that requires all field maps to be disclosed in either blinded or published form.

In KERI/ACDC, ephemeral refers to identifiers, keys, or data structures designed for temporary, short-lived use—typically one-time, discardable, or session-specific—without persistence or transferability requirements.

A protocol architecture that uses verifiable identifiers (VIDs) to cryptographically sign and verify every message transmitted across the internet, creating a universal spanning layer for trust that operates independently of specific platforms or trust domains.

In KERI, 'stable' refers to the state of cryptographic verifiability across a network where a particular identifier, event, or data set is consistent, fully verified, and cannot be contested within the KERI infrastructure.