KERI (Key Event Receipt Infrastructure) is a ledger-independent identity protocol that establishes cryptographic root-of-trust using self-certifying identifiers and a verifiable, append-only log of signed key events. Unlike blockchain-based Decentralized Public Key Infrastructure (DPKI), KERI does not require a consensus ledger to anchor its trust fabric. Instead, it relies on the Key Event Log (KEL), a hash-chained data structure where each event is cryptographically signed by the controller's current private key, providing a self-contained proof of key state and rotation history without external validation.
Glossary
KERI (Key Event Receipt Infrastructure)

What is KERI (Key Event Receipt Infrastructure)?
KERI is a cryptographic identity system that establishes trust through self-certifying identifiers and a chain of signed key events, eliminating dependency on consensus ledgers.
The protocol's security derives from pre-rotated key pairs, where the hash of the next public key is committed in the current event before rotation occurs. This mechanism ensures that any subsequent compromise of a private key cannot be used to forge a prior, valid key state. KERI's architecture supports duplicity detection through witnesses—designated nodes that receive and propagate receipts of key events—allowing any verifier to detect conflicting logs without querying a global ledger, making it ideal for high-throughput, offline-capable Sovereign Identity Management systems.
Key Features of KERI
KERI (Key Event Receipt Infrastructure) is a ledger-independent identity system that establishes cryptographic root-of-trust through a chain of signed key event logs, eliminating the need for consensus-based blockchains.
Self-Certifying Identifiers (AIDs)
KERI uses Autonomic Identifiers (AIDs) that are cryptographically self-certifying. The identifier is derived directly from the inception key pair, meaning the identifier itself proves control of the private key without requiring a third-party registry lookup.
- Derivation: The AID is a cryptographic digest of the initial public key
- Self-verification: Anyone can verify the binding between the identifier and its controller by checking the signature
- No registration required: Unlike DIDs anchored to blockchains, AIDs establish trust purely through the key event log
Key Event Log (KEL)
The Key Event Log is an append-only, cryptographically chained sequence of events that records every key state change for an AID. Each event is signed by the current controlling key and references the previous event's digest.
- Tamper-evident: Any alteration to a prior event breaks the hash chain
- Self-contained: The entire history of key rotations and delegations exists within the log itself
- Portable: The KEL can be stored anywhere—a database, a file system, or replicated across witnesses—without dependency on any specific ledger
Pre-Rotated Key Management
KERI mandates pre-rotation of keys: each key event must commit to the hash of the next key before that key is used. This prevents post-compromise attacks where an attacker who steals a current key could rewrite history.
- Forward security: Even if the current private key is compromised, the attacker cannot forge a valid prior rotation because the next key hash was already published
- Non-repudiable: The cryptographic commitment chain proves the legitimate controller authorized every state change
- Quantum-resistant readiness: The hash-based commitment structure provides a foundation for post-quantum key types
Witness Network for Duplicity Detection
KERI employs a witness network—a set of designated nodes that receive and acknowledge copies of key events. Witnesses do not validate transactions or reach consensus; they simply serve as neutral observers to detect duplicity.
- Duplicity detection: If a controller signs two conflicting versions of the same event, witnesses can produce cryptographic proof of the equivocation
- Minimal trust: Witnesses cannot alter the KEL; they can only expose misbehavior
- Scalable: Unlike consensus validators, witnesses require no coordination overhead, enabling high throughput
Ledger-Independent Architecture
KERI is fundamentally ledger-agnostic. The KEL provides its own verifiable data structure, so anchoring to a blockchain or distributed ledger is optional and used only for ambient verifiability, not as a source of truth.
- No gas fees: Operations do not require on-chain transactions
- No throughput limits: Key events process at network speed, not block time
- Optional anchoring: A digest of the KEL can be periodically anchored to any ledger for additional discoverability, but the KEL remains the authoritative record
Delegated and Multi-Sig Control
KERI supports sophisticated key management structures including delegated identifiers and threshold multi-signature schemes. An AID can delegate signing authority to another identifier with explicit constraints.
- Hierarchical trust: Organizations can create subordinate identifiers with limited authority scoped to specific contexts
- M-of-N signing: Require multiple parties to authorize key rotations or credential issuances
- Recovery mechanisms: Designate recovery keys that can rotate compromised keys without losing control of the identifier
KERI vs. Traditional DPKI
A technical comparison of Key Event Receipt Infrastructure against ledger-based Decentralized Public Key Infrastructure and traditional Certificate Authority models.
| Feature | KERI | Ledger-Based DPKI | Traditional PKI (CA) |
|---|---|---|---|
Root of Trust Source | Self-certifying key event log (KEL) | Consensus ledger or blockchain | Centralized Certificate Authority |
Ledger Dependency |
Frequently Asked Questions
Explore the technical nuances of the Key Event Receipt Infrastructure, a ledger-independent identity system that establishes cryptographic root-of-trust through self-certifying identifiers and pre-rotated key event logs.
KERI (Key Event Receipt Infrastructure) is a ledger-independent identity system that establishes cryptographic trust through a self-contained, chained log of signed key events rather than relying on a consensus ledger. Unlike blockchain-based Decentralized Identifiers (DIDs), which require a distributed ledger to anchor state changes, KERI uses the identifier itself as the root of trust. The core mechanism involves a self-certifying identifier (Autonomic Identifier or AID) derived from a hash of the initial public key. Every subsequent key rotation or state change is recorded as a signed event in a Key Event Log (KEL). Trust is established by verifying the non-repudiable chain of signatures from inception to the current state. This eliminates the 'oracle problem' of querying an external ledger for the latest DID Document, providing a fully portable, witness-agnostic verification model that operates without transaction fees or block confirmation latency.
Enabling Efficiency, Speed & Accuracy
Intelligent Analysis, Decision & Execution
We build AI systems for teams that need search across company data, workflow automation across tools, or AI features inside products and internal software.
Talk to Us
Search across company data
Give teams answers from docs, tickets, runbooks, and product data with sources and permissions.
Useful when people spend too long searching or get different answers from different systems.

Automate internal workflows
Use AI to route work, draft outputs, trigger actions, and keep approvals and logs in place.
Useful when repetitive work moves across multiple tools and teams.

Add AI to products and internal tools
Build assistants, guided actions, or decision support into the software your team or customers already use.
Useful when AI needs to be part of the product, not a separate tool.
Related Terms
Explore the core components and adjacent protocols that define the Key Event Receipt Infrastructure ecosystem, enabling ledger-independent trust.

About the author
Prasad Kumkar
CEO & MD, Inference Systems
Prasad Kumkar is the CEO & MD of Inference Systems and writes about AI systems architecture, LLM infrastructure, model serving, evaluation, and production deployment. Over 5+ years, he has worked across computer vision models, L5 autonomous vehicle systems, and LLM research, with a focus on taking complex AI ideas into real-world engineering systems.
His work and writing cover AI systems, large language models, AI agents, multimodal systems, autonomous systems, inference optimization, RAG, evaluation, and production AI engineering.
Partnered with leading AI, data, and software stack.
How We Work
Custom AI workflows for your Business
One-fit-all AI don't work for modern businesses. At Inferensys, we aim to understand your business & custom requirements; which we use to define most efficient agentic workflows, the data, and the tools for your business.
01
Review the use case
We understand the task, the users, and where AI can actually help.
Read more02
Pick the right approach
We define what needs search, automation, or product integration.
Read more03
Build the first useful version
We implement the part that proves the value first.
Read more04
Improve from there
We add the checks and visibility needed to keep it useful.
Read moreThe first call is a practical review of your use case and the right next step.
Talk to Us