A plea: a convention for <input name="handle">

jauntywk.bsky.social · March 3, 2026, 8:53pm

As someone who uses my phone more than maybe advisable, I end up typing in jauntwk.bsky.socialmuch more than I want to to log into neat atproto apps. Every now and then the browser can auto-complete for me, but it feels too rare! This post is a plea for help from the atproto ecosystem, to please try to make this better.

It comes down to what name the input element has: that’s what the browser usually uses for autocomplete. I would love to have a convention/standard for what name to use for the <input> element that takes the username/handle/account, so that autocomplete works on whatever site we land on.

In the title, I went with handle . I am totally fine with bike-shedding this. I went with this for two reasons: because it was the term of the art I saw in one particular README (cited below), and it was what the last app I logged in to used (welcome online https://drerings.app).

But it feels like having some advice we can hand out for what to name this form element would help users a lot. I’m not sure how or where such guidance should go that it’s easy to provide & feels authoritative; a little thread here feels like just a starting place & I want more, but I wanted to raise this usability issue, that I face, with hopes that we can improve the user experience for those trying to use their “internet handle”, as it were.

github.com/bluesky-social/atproto

packages/oauth/oauth-client-browser/README.md

main

# atproto OAuth Client for the Browser

This package provides a browser specific OAuth client implementation for
atproto. It implements all the OAuth features required by [ATPROTO] (PKCE, DPoP,
etc.).

`@atproto/oauth-client-browser` is designed for front-end applications that do
not have a backend server to manage OAuth sessions, a.k.a "Single Page
Applications" (SPA).

> [!IMPORTANT]
>
> When a backend server is available, it is recommended to use
> [`@atproto/oauth-client-node`](https://www.npmjs.com/package/@atproto/oauth-client-node)
> to manage OAuth sessions from the server side and use a session cookie to map
> the OAuth session to the front-end. Because this mechanism allows the backend
> to invalidate OAuth credentials at scale, this method is more secure than
> managing OAuth sessions from the front-end directly. Thanks to the added
> security, the OAuth server will provide longer lived tokens when issued to a
> BFF (Backend-for-frontend).

This file has been truncated. show original

tynanpurdy.com · March 3, 2026, 8:57pm

YES PLEASE. I would love to see a demo of this with a web app and a fork of Bitwarden designed to handle the handle text input.

chrismessina.me · March 3, 2026, 9:14pm

You might go mention this request in this thread.

bnewbold.net · March 3, 2026, 9:24pm

What we use in all of the “cookbook” examples (eg, for Go, Python, JavaScript, TypeScript) is <input name=“username” …>.

ngerakines.me · March 4, 2026, 4:07am

I use this for Smoke Signal, Lexicon Garden, etc.:

<input
    class="input" type="text" id="loginHandleInput" name="handle"
    autocomplete="username" placeholder="alice.bsky.social"
    data-loading-disable="">

erlend.sh · March 4, 2026, 9:31am

I’d love to know what (hack) Deviantart is doing to make this already work.

gui.do · March 4, 2026, 10:37am

Nice, implemented it in Barazo right away: feat(auth): add name="handle" to login input for cross-app autocomplete by gxjansen · Pull Request #149 · barazo-forum/barazo-web · GitHub

trezy.codes · March 4, 2026, 2:34pm

Browsers and password managers can use the name field to determine autofill, but the autocomplete property is the proper way to accomplish this. Here’s what I use for atproto handle inputs on Cartridge:

<input
  autocomplete="username"
  name="handle"
  pattern="(\\w+\\.)+\\w+"
  type="text">

name - This just gives the form a key for the input in its FormData. Using it for anything beyond that is outside of the HTML spec. The only reason it works in select cases is because these applications are trying to be helpful for users on websites that don’t properly use the autocomplete attribute.
autocomplete - Setting this to username is the appropriate analog for atproto domain handles.
type - I use text instead of url because not all browsers properly validate this. Some require a scheme like http://, others validate the TLD against an out-of-date list so handles like mine with newer TLDs (e.g. .codes) don’t validate.
pattern - The pattern I’m using is slightly too permissive for full validation but it does allow all valid handles to pass. This only matters if you check the input’s (or form’s) validity before submission using the ValidityState API.

ngerakines.me · March 4, 2026, 5:00pm

These are all valid inputs though:

ngerakines.me (handle hostname)
@ngerakines.me (@handle syntax)
at://ngerakines.me (AT-URI with handle authority)
did:plc:cbkjy5n7bk3ax2wplmtjofq2 (plain did)
at://did:plc:cbkjy5n7bk3ax2wplmtjofq2 (AT-URI with DID authority)
https://pds.cauda.cloud (my pds)
https://morel.us-east.host.bsky.network/ (oath-protected-resource)
https://bsky.social (oauth-authorization-server)

trezy.codes · March 5, 2026, 1:29pm

if the input is labeled “Handle,” I wouldn’t expect it to take just any of those (maybe there’s a better way to communicate what’s allowed). The pattern is mostly unimportant in this context, tho. The autocomplete attribute is what matters. I can remove the pattern if it’s distracting from the topic.

ngerakines.me · March 5, 2026, 1:54pm

Sorry, fwiw I’m not harping on pattern. Just trying to say that autocomplete may mean different type of information and should probably reference multiple fields:

<input
  autocomplete="username handle did login-url"
  name="handle"
  type="text">

[autocomplete on MDN]

trezy.codes · March 5, 2026, 2:51pm

Ahh, sorry, I misunderstood. That’s an awesome addition.

sgo.to · March 9, 2026, 9:33pm

Yeah, autocomplete=”username” might be better than name=”username” :

uncenter.dev · April 1, 2026, 10:29pm

This seems like the best approach to go with. My one concern is that it seems a little unclear to me if those extra detail tokens after username in the autocomplete attribute are allowed / not inaccessible. Reading HTML attribute: autocomplete - HTML | MDN, I’m hoping that browsers and accessibility tools (and password managers alike) parse the details list and ignore the non-standard ones that follow?

Then, if we are providing these autocomplete details/hints, how do we make it useful - is it having password managers start recognizing it? There might be an open question here of how a password manager should even store a handle as an entry, to use in every atproto app.

One parting thought: how much bikeshedding is this worth if we could angle for FedCM with custom identity providers instead?

jauntywk.bsky.social · April 2, 2026, 2:13am

Hey folks. Thank you all so much for your contributions. I want to try to append some recommendations in the future but trying to figure out what exactly to say is hard & you all have so many good ideas!

I also want to share this link, which has some more really really good ideas for how to make the input box experience signficiantly better (thanks tyler.fun for posting): @tyler.fun on Bluesky