In [None]:
# Imports and Utility functions
from scripts.utils import clear_keri

## Creating a Keystore

Before you can create identifiers or perform many other actions with KLI, you need a keystore. The keystore is an encrypted data store that holds the keys for your identifiers. To initialize a keystore, you give it a name, protect it with a passcode, and provide a salt for generating the keys.

The command to do this is `kli init`. Here's an example:


In [None]:
# Choose a name for your keystore
keystore_name="my-first-key-store"
# Use a strong, randomly generated passcode ( from 'kli passcode generate')
keystore_passcode="xSLg286d4iWiRg2mzGYca"
# Use a random salt (from 'kli salt')
salt="0ABeuT2dErMrqFE5Dmrnc2Bq"

!kli init --name {keystore_name} --passcode {keystore_passcode} --salt {salt}

The command sets up the necessary file structures for your keystore, so it's ready for you to create and manage Identifiers within it.

<div class="alert alert-info">
  <b>ℹ️ NOTE</b><hr>
<ul>
    <li>In the example, predefined <code>keystore_passcode</code> and <code>salt</code> are used for convenience, but randomly generated values can be obtained using the <code>kli passcode generate</code> and <code>kli salt</code>
    <li>You can initialize multiple keystores as long as they have different names 
</ul>
</div>

## Creating an Identifier

Now that your keystore is set, you can create your first identifier (AID) within it using the `kli incept` command. You'll need to provide your `keystore_name` and `keystore_passcode`. Additionally, specify a human-readable `alias` for the AID and define its key pairs using parameters like `icount` (the number of signing keys) and `isith` (the signing threshold). Other parameters such as `ncount`, `nsith`, and `toad` will be explained later. Executing `kli incept` will create the AID and output the prefix. This also means that the command will add the first event to the AID KEL, the inception event.

Let's create one:

 

In [None]:
# Choose a human-readable alias for your identifier *within this keystore*
aid_alias = "my-first-aid"

# Create (incept) the identifier
# The parameters --icount, --isith, --ncount, --nsith, --toad control the key management thresholds.
# We use basic settings here; these will be explained in detail in a later section (TBD).
!kli incept --name {keystore_name} --alias {aid_alias} --passcode {keystore_passcode} \
    --icount 1 --isith 1 --ncount 0 --nsith 0 --toad 0

The `kli incept` command generated an AID. The unique string produced, `BHt9Kw8oUgfB2kiyoj65B2VE5fZLr87S5MJP3l4JeRwC`, is known as the Prefix. While closely related, they represent different aspects:

- AID: This is the formal concept of the self-governing identifier within the KERI system, representing the entity and its control.
- Prefix: This is the practical, usable string representation of the AID. It's derived directly from the AID's initial cryptographic keys and is constructed by combining:
    - A Derivation Code: Indicates the cryptographic suite (key type, signature algorithm, hashing algorithm) used.
    - The Encoded Public Key: The public portion of the initially generated key pair associated with the AID.

**Prefix Self-Certification:**  
KERI AIDs are self-certifying. This works because the identifier's prefix embeds the necessary public key information directly within it. Because of this, anyone who has the prefix can cryptographically check signatures made with the matching private key. This proves actions related to the AID are authentic without needing to check with outside authorities or registries. Keep in mind, this direct checking applies to the key that is currently authorized for the AID; key rotation changes the authorized key, requiring reference to the AID's KEL for verification. 

<div class="alert alert-prymary">
  <b>📝 SUMMARY</b><hr>
    <li>Think of the AID as the secure, self-managed identifier</li>
    <li>Think of the prefix as the actual text string you use to represent that AID, whose structure makes the AID's self-certifying property work</li>
    <li>Think of the alias (<code>my-first-aid</code> in our example) as just a local nickname within your keystore to easily refer to the prefix</li>
    <li>The terms AID, identifier, prefix, and alias tend to be used interchangeably</li>
</div>




## Displaying the Identifier
You can check the status of the identifier you just created using `kli status` and its `alias`. This command will show details about the AID's current state, including its Alias, prefix, sequence number, public keys, and additional information. More details on what all this data means will be explained later

In [None]:
# Check the status of the AID using its alias
!kli status --name {keystore_name} --passcode {keystore_passcode} --alias {aid_alias}

You can use `kli status` with the `--verbose` parameter to show the key event log.

In [None]:
!kli status --name {keystore_name} --passcode {keystore_passcode} --alias {aid_alias} --verbose

Here are some descriptions of the KEL fields:
- v – Version String
- t – Message type (`icp` means inception)
- i – Identifier Prefix
- kt - Keys Signing Threshold (the `isith` value used in `kli inception`)
- k – List of Signing Keys (You get as many keys as defined by the `icount` value used in `kli inception`)





<div class="alert alert-info">
  <b>📚 REFERENCE</b><hr>
    To see the full details of the key event fields, refer to <a href="https://trustoverip.github.io/tswg-keri-specification/#keri-data-structures-and-labels" target="_blank">KERI Data Structures and Labels</a> 
</div>

You can also list all the identifiers managed within this keystore. To illustrate this, let's create an additional Identifier

In [None]:
!kli incept --name {keystore_name} --alias "my-second-aid" --passcode {keystore_passcode} \
    --icount 1 --isith 1 --ncount 0 --nsith 0 --toad 0

Now use `kli list` to list all the identifiers managed by the keystore

In [None]:
# List all Identifiers in the keystore
!kli list --name {keystore_name} --passcode {keystore_passcode}

--------------------------------------------------------------------------------------

<div class="alert alert-info">
  <b>💡 TIP</b><hr>
    <li>If you run <code>clear_keri()</code>, the keystore, database, and credential store directories are deleted.</li>  
    <li>This function is provided as an utility to clean your data for testing purposes.</li>
</div>

In [None]:
clear_keri()