From Talking Drums to JSON Web Tokens
A few years ago I read James Gleick's The Information and could not put down its opening chapter, a long and patient look at the talking drums of West Africa. The thought that ancient people, with no wires and no electronics between them, had quietly worked out the very problems we still wrestle with on the web today stayed with me long after the book was closed. I gave a small talk on it in 2019, at PHP com Rapadura, a developer community back in Ceará, Brazil, and the slides have rested in a folder ever since. The thread inside them aged kindly, and it is worth picking up again.
Long before the JSON Web Tokens, before the secure APIs, before anything at all that lives inside a terminal, three older inventions had already met the same problem from three different angles: a fire on a hilltop, a drum in a village, and a small disc of wax cooling on a letter. Sit a while with each of them, in turn, and the modern token has very little left to surprise you with.
A fire on a hilltop
In the fifth century BC, Greek lookouts kept fires burning along the headlands of the Aegean. One signal was the whole language they needed: the enemy is coming. There was nothing in the flame about who, or how many, or from which direction; only that something out at sea had gone wrong, and that it was time. A single bit of information, hurled across hundreds of kilometres at the speed of light, faster than any messenger could have carried it on foot.
That is the most modest thing a message can be, and it has a name worth keeping: a payload, the actual content the message carries. One bit is plenty when there is only one thing to say. The moment the question grows, though, who exactly is approaching, where along the coast, in what number, the fire falls silent. A richer message asks for a richer carrier.
And a richer carrier brings its own difficulties along.
The talking drums
In what is now southwestern Nigeria, the Yoruba had an altogether more astonishing trick. Their drummers could speak whole sentences across many kilometres, village answering village, faster than any runner alive. A drum could carry, by rhythm alone, a line such as “make your feet return by the path they came,” and someone on the far hill would hear it as words.
The wonder of it was tied to a difficulty. The drums reproduced the tones of the Yoruba language, the up-and-down music that distinguishes one word from another, and many different words happen to share the same tones. Stripped to its tones alone a single phrase could mean three or four plausible things, and the listener at the other end had no way of choosing. The richer payload had arrived with an ambiguity baked into the medium itself.
The drummers' answer was as quiet as it was inventive: surround the message with companion phrases, well-worn turns of speech, rhythmic flourishes that carried no fresh meaning but ruled the wrong meanings out. The padding was not there to fight noise; it was there to tell the listener which of the several possible sentences was the one intended. Disambiguation, we would call it now: extra information laid in beside the message so that the receiver lands on the meaning that was sent.
A seal of wax
Neither the fires nor the drums had answered the last of the old problems. Anyone within sight or within hearing could receive the message, and there was nothing in either medium that promised it had come unaltered, or that it had come from the person you believed had sent it. To answer those two questions the royal courts of medieval Europe reached for something older still: a small pool of warm wax, pressed by a signet ring.
The seal did not hide the letter. Anyone who took it from the rider could open and read it. What the seal guaranteed was that the message was genuine and unbroken: if the wax was whole, the words inside had not been changed since the king's hand pressed the ring; if the wax was cracked, the forgery was obvious at a glance. Not secrecy, but proof. The medieval scribe understood, as we sometimes need reminding, that authenticity and privacy are not the same thing, and that one is often easier to win than the other. We can give this third property a name as well: trustworthiness, the proof that the message you are holding is the message that was sent.
The same questions, on the web
Fire on the hill, drum in the village, wax on the letter. Three eras, three mediums, and the very same three questions running through all of them. What does the message carry? How is the receiver to know what it means? And how is anyone to know that what arrived is what was sent? When the web finally had to answer those questions for itself, it built an answer with all three folded together.
A JSON Web Token is a small message that travels on its own. It carries its data along with it, so the server it lands on does not need to look anything up to know who is at the door. It declares, near the front, how it is to be read, so the receiver is not left squinting at a string of letters. And it is sealed with a signature, so that anyone may read it but no one may alter it without the change being obvious at a glance. The drum, the hilltop, and the wax, folded into a single string of letters and dots.
Inside the token
A JWT is three pieces separated by dots: header.payload.signature. Each piece carries one of those
old jobs, and only one.
The header sits at the front. Without it the rest of the token would be an ambiguous blob, decodable several ways at once and verifiable by several different algorithms. The header is the small companion phrase the drummer used: it tells the receiver, before anything else, which way to interpret what follows.
{
"alg": "HS256",
"typ": "JWT"
}After it comes the payload, the actual cargo, the part the world has come for. Like a drum that carries the whole sentence rather than a reference number to a sentence stored in some far-off library, the token holds the information directly, with no database to wake and no session to consult:
{
"name": "Vidal Vasconcelos",
"nickname": "vidalvasconcelos",
"admin": true,
"exp": 1700000000
}The token itself is the source of truth. The server does not need to ask anyone else.
Last comes the signature, and there is a small warning to set down before we say what it does. A JWT does not give you secrecy. The payload is Base64-encoded, not encrypted, and anyone who intercepts the token can decode and read it as plainly as a king's letter held up to the light. What the signature gives you instead is trustworthiness: a guarantee that the words you are reading are the words that were sent.
Change a single character in the header or in the payload and the signature stops matching. The server can confirm, with only the secret key in hand, that the token is authentic and untampered: no database call, no session lookup. The wax seal, written now in arithmetic.
Conclusion
We began with a fire on a hilltop. One bit, no detail, and yet enough to warn an entire coastline before any rider could reach it. We followed the Yoruba drummers, who learned that a richer message must arrive with the context that pins it to its meaning. And we sat for a moment with a royal scribe, who taught us that a seal does not hide a letter, it proves who wrote it.
The JWT is heir to all three. Its header is the context that tells the receiver how to read the rest. Its payload is the message itself, travelling without a library to look it up in. Its signature is the seal. None of it is perfect: anyone may read the contents, tokens live until they expire, and a token stored carelessly opens doors that should have stayed closed. But the old principle holds, two and a half thousand years on, and it is worth saying plainly: put the intelligence in the message, not in the infrastructure around it.