A plea: a convention for <input name="handle">

jauntywk.bsky.social · March 3, 2026, 8:53pm

As someone who uses my phone more than maybe advisable, I end up typing in jauntwk.bsky.socialmuch more than I want to to log into neat atproto apps. Every now and then the browser can auto-complete for me, but it feels too rare! This post is a plea for help from the atproto ecosystem, to please try to make this better.

It comes down to what name the input element has: that’s what the browser usually uses for autocomplete. I would love to have a convention/standard for what name to use for the <input> element that takes the username/handle/account, so that autocomplete works on whatever site we land on.

In the title, I went with handle . I am totally fine with bike-shedding this. I went with this for two reasons: because it was the term of the art I saw in one particular README (cited below), and it was what the last app I logged in to used (welcome online https://drerings.app).

But it feels like having some advice we can hand out for what to name this form element would help users a lot. I’m not sure how or where such guidance should go that it’s easy to provide & feels authoritative; a little thread here feels like just a starting place & I want more, but I wanted to raise this usability issue, that I face, with hopes that we can improve the user experience for those trying to use their “internet handle”, as it were.

github.com/bluesky-social/atproto

packages/oauth/oauth-client-browser/README.md

main

# atproto OAuth Client for the Browser

This package provides a browser specific OAuth client implementation for
atproto. It implements all the OAuth features required by [ATPROTO] (PKCE, DPoP,
etc.).

`@atproto/oauth-client-browser` is designed for front-end applications that do
not have a backend server to manage OAuth sessions, a.k.a "Single Page
Applications" (SPA).

> [!IMPORTANT]
>
> When a backend server is available, it is recommended to use
> [`@atproto/oauth-client-node`](https://www.npmjs.com/package/@atproto/oauth-client-node)
> to manage OAuth sessions from the server side and use a session cookie to map
> the OAuth session to the front-end. Because this mechanism allows the backend
> to invalidate OAuth credentials at scale, this method is more secure than
> managing OAuth sessions from the front-end directly. Thanks to the added
> security, the OAuth server will provide longer lived tokens when issued to a
> BFF (Backend-for-frontend).

This file has been truncated. show original

tynanpurdy.com · March 3, 2026, 8:57pm

YES PLEASE. I would love to see a demo of this with a web app and a fork of Bitwarden designed to handle the handle text input.

chrismessina.me · March 3, 2026, 9:14pm

You might go mention this request in this thread.

bnewbold.net · March 3, 2026, 9:24pm

What we use in all of the “cookbook” examples (eg, for Go, Python, JavaScript, TypeScript) is <input name=“username” …>.

ngerakines.me · March 4, 2026, 4:07am

I use this for Smoke Signal, Lexicon Garden, etc.:

<input
    class="input" type="text" id="loginHandleInput" name="handle"
    autocomplete="username" placeholder="alice.bsky.social"
    data-loading-disable="">

erlend.sh · March 4, 2026, 9:31am

I’d love to know what (hack) Deviantart is doing to make this already work.

gui.do · March 4, 2026, 10:37am

Nice, implemented it in Barazo right away: feat(auth): add name="handle" to login input for cross-app autocomplete by gxjansen · Pull Request #149 · barazo-forum/barazo-web · GitHub

trezy.codes · March 4, 2026, 2:34pm

Browsers and password managers can use the name field to determine autofill, but the autocomplete property is the proper way to accomplish this. Here’s what I use for atproto handle inputs on Cartridge:

<input
  autocomplete="username"
  name="handle"
  pattern="(\\w+\\.)+\\w+"
  type="text">

name - This just gives the form a key for the input in its FormData. Using it for anything beyond that is outside of the HTML spec. The only reason it works in select cases is because these applications are trying to be helpful for users on websites that don’t properly use the autocomplete attribute.
autocomplete - Setting this to username is the appropriate analog for atproto domain handles.
type - I use text instead of url because not all browsers properly validate this. Some require a scheme like http://, others validate the TLD against an out-of-date list so handles like mine with newer TLDs (e.g. .codes) don’t validate.
pattern - The pattern I’m using is slightly too permissive for full validation but it does allow all valid handles to pass. This only matters if you check the input’s (or form’s) validity before submission using the ValidityState API.

ngerakines.me · March 4, 2026, 5:00pm

These are all valid inputs though:

ngerakines.me (handle hostname)
@ngerakines.me (@handle syntax)
at://ngerakines.me (AT-URI with handle authority)
did:plc:cbkjy5n7bk3ax2wplmtjofq2 (plain did)
at://did:plc:cbkjy5n7bk3ax2wplmtjofq2 (AT-URI with DID authority)
https://pds.cauda.cloud (my pds)
https://morel.us-east.host.bsky.network/ (oath-protected-resource)
https://bsky.social (oauth-authorization-server)