Bearer: When Possession Is the Point

I bought an international train ticket last week and added it to the railway app. The process took about thirty seconds. Nothing asked for my name. Nothing verified who I was. The ticket sat there, ready for a journey I haven't made yet, and I'm reasonably confident it will work fine when I hold the phone to the scanner at the platform.

That small moment bothered me in a productive way. The app could just as easily have been a wallet. Buy a concert ticket and it lands in Apple Wallet or Google Wallet the same way, no identity attached. The container changes. The principle doesn't.

Two models

There are two fundamentally different ways a system can decide whether to let you in.

The first is account-based. You are registered. The system knows who you are. Access is granted because your identity has been verified and associated with a right. A transit card linked to your name works this way. So does your bank account, your email, your government login. The credential belongs to you specifically. Lose it, and it can be blocked. Transfer it, and the transfer can be traced or refused.

The second is possession-based. The system doesn't know who you are and doesn't need to. Access is granted because you hold something. A physical key. A fifty euro note. A paper ticket with a punched hole. The right travels with the object, not with the person.

The word for this second model is bearer. Whoever bears the token gets in.

The default that was

For most of human history, possession-based access was simply the only option. Institutions didn't have the infrastructure to track individuals at scale. Cash worked because it had to. The paper train ticket worked the same way. When the conductor came through the carriage and punched a hole in your ticket, they were doing two things: confirming validity and preventing reuse. The ticket changed physically. It was spent.

The system was elegant precisely because it required nothing beyond the object itself. No database lookup. No identity check. No account. Just: do you have the thing?

The drift

Account-based systems became possible when infrastructure caught up. Databases, networks, identity numbers, card readers. Suddenly it became feasible to tie access to a person rather than an object. And institutions had strong reasons to prefer it. An account can be audited. A bearer token cannot. An account holder can be held responsible. A bearer token holder is anonymous by definition.

The drift from possession to account wasn't a conspiracy. It was institutions doing what institutions do when the technology allows it: gaining visibility, reducing risk, building relationships with users that could be monetised or managed.

Cash is the clearest example of what's at stake. It is bearer by design. The fifty euro note doesn't know who owns it. That property, which once seemed simply practical, now looks like a political position. Several European countries have introduced limits on cash transactions. The digital euro is being designed with traceability as a feature. Every move away from cash is a move from possession to account.

Bearer didn't disappear

What surprised me, once I started looking, is how thoroughly the bearer model persists inside digital systems, mostly invisible.

An API key is a bearer token. Any system that receives it grants access, no questions about who is sending it. A session cookie, the small credential your browser holds after you log in, behaves the same way. Whoever holds the cookie can act as the account holder. The QR code on my train ticket is a bearer token with a one-time validation: the backend flips a flag when it's scanned, the digital equivalent of the punched hole.

This is also where the distinction between human-to-machine and machine-to-machine access becomes interesting. When a script or an automated workflow authenticates to an API, it almost always does so with a bearer token. There is no biometric, no SMS code, no identity check. There is a key, and whoever holds the key gets in. The delegation problem that makes so many digital systems difficult to automate is partly a collision between these two models: systems built for account-based human identity, trying to accommodate possession-based machine access.

The lens

What changed for me after that railway app moment wasn't a conclusion. It was a way of seeing.

Every time I add something to an app or a wallet, I now ask: is this bearer, or is this account? Every time I read about payment infrastructure, digital identity, or access control, the same question surfaces. The answer usually reveals something about how money and data move through the system, and who designed it to move that way.

Two models. One question. It turns out to explain quite a lot.