HTML forms · 6 / 9
courses/HTML forms/Lesson 6
lesson 6

Autofill and autocomplete

The autocomplete attribute is a token list. Get the tokens right and password managers, mobile keyboards, and one-tap fill all line up.

~ 13 min read·lesson 6 of 9
0 / 9

You have probably typed your address into a form 200 times. The browser knows it. Your password manager knows it. The only reason it does not auto-fill is that your form has not told the browser what each field is.

The vehicle for that information is the autocomplete attribute. It is not just on or off — it is a long list of named values, each describing a piece of personal data. Get them right and the user fills the whole form with one tap.

The token list

The autocomplete attribute takes a single token (or sometimes a space-separated list). Each token describes the kind of data the field holds.

basic-tokens.html
<input name="name" autocomplete="name">
<input name="email" autocomplete="email">
<input name="tel" autocomplete="tel">
<input name="url" autocomplete="url">

The tokens are pre-defined in the HTML spec — you cannot make them up. The browser only fills fields it recognizes by token, not by name. That is why a field called name="email_address" without the autocomplete attribute is invisible to autofill.

A short list of common tokens:

  • name — full name. Or split: given-name (first), family-name (last), additional-name (middle).
  • email — email address.
  • tel — phone, full international format. Or tel-national, tel-country-code, tel-area-code.
  • url — a URL.
  • organization — company name. organization-title for job title.
  • bday — birthday, full date. Or bday-day, bday-month, bday-year.

Pick the most specific token that matches the field. name versus given-name matters when the form splits first and last names into two inputs.

name-fields.html
<label>First name <input name="first" autocomplete="given-name"></label>
<label>Last name <input name="last" autocomplete="family-name"></label>

The autofill suggestion now lands the right name in the right field. Without the tokens, the browser would have to guess.

Username and password sections

Password managers care about three tokens above all others.

  • username — the username or email used to log in.
  • current-password — the password the user is currently logging in with.
  • new-password — the password the user is creating or changing to.

The distinction between current-password and new-password is what makes password managers work cleanly:

login.html
<form action="/login" method="post">
<label>Email <input name="email" autocomplete="username"></label>
<label>Password <input type="password" name="pw" autocomplete="current-password"></label>
<button type="submit">Log in</button>
</form>

The password manager sees current-password and offers to fill the saved password. It does not offer to generate a new one — that would be wrong here.

signup.html
<form action="/signup" method="post">
<label>Email <input name="email" autocomplete="username"></label>
<label>Password <input type="password" name="pw" autocomplete="new-password"></label>
<label>Confirm <input type="password" name="pw2" autocomplete="new-password"></label>
<button type="submit">Sign up</button>
</form>

Same form skeleton, different tokens. The password manager now offers to generate a strong password and remember it. The two new-password fields tell it "this is a fresh credential being created".

For the email/username, the same autocomplete="username" token works on both forms — login and signup. The distinction is the password's token, not the username's.

Tip

The username token still applies even when the field is an email — the password manager pairs whatever the user uses to sign in (email, handle, account number) with the password. Use type="email" for the keyboard and validation, plus autocomplete="username" for the manager.

check your understanding
You build a "change password" form: current password field, new password field, confirm new password field. Which set of autocomplete tokens is right?

Addresses, phones, payments

Address tokens use a shipping or billing prefix to disambiguate. Each address piece has its own token.

checkout.html
<fieldset>
<legend>Shipping address</legend>
<input name="ship_addr1" autocomplete="shipping address-line1">
<input name="ship_addr2" autocomplete="shipping address-line2">
<input name="ship_city" autocomplete="shipping address-level2">
<input name="ship_state" autocomplete="shipping address-level1">
<input name="ship_zip" autocomplete="shipping postal-code">
<input name="ship_country" autocomplete="shipping country">
</fieldset>

address-level1 is the largest subdivision (state, province), address-level2 is the next level down (city). The naming is unintuitive but standardized — copy it from a reference card and move on.

For payments, the spec defines a parallel set of cc-* tokens.

payment.html
<input name="card" autocomplete="cc-number" inputmode="numeric">
<input name="exp" autocomplete="cc-exp" placeholder="MM / YY">
<input name="cvc" autocomplete="cc-csc" inputmode="numeric">
<input name="name" autocomplete="cc-name">

Apple Pay, Google Pay, and most password managers fill these directly. A user with a saved card sees a "fill from saved card" option in their browser's autofill bar — three taps replaces six.

The full reference list of tokens is in the HTML spec. Skim it once, bookmark it, and you have the table you need for any form you build.

Watch out

Putting the wrong token on a credit card field is worse than not having one — the user's autofill might fill their card into a billing-address ZIP code field. Get the token right or leave it off.

When to turn it off

Sometimes you want autofill off. For example, a "Type the word DELETE to confirm" field — the browser should not offer to fill it.

off.html
<input name="confirm" autocomplete="off" required>

autocomplete="off" tells the browser not to suggest values. It does not prevent password managers from acting (they can override the hint). For the password-specific case, autocomplete="new-password" tends to be better than off — it tells the manager "do not fill the saved password here", which is usually what you actually want.

Browsers sometimes ignore autocomplete="off" on login fields, on the theory that users are better served by their saved passwords than by a developer's preference. That's a feature, not a bug. Plan around it: do not put critical UX on the assumption that autofill is silent.

Tip

Default to autocomplete on. Reach for off only when there is a real reason — a confirm-the-word field, a one-time-use coupon, a high-security re-authentication. Most fields work better when they fill.

check your understanding
You're building a login form. Your designer asks you to disable browser autofill on the email field "to keep the design clean". What's the right pushback?
check your understanding
A US-style address form has a "City" field and a "State" field. Which autocomplete tokens are right?
check your understanding
You set name="email_address" on an email field but do not set the autocomplete attribute. The user has saved their email in the browser but the field does not auto-fill. Why?
← previousThe Constraint Validation API6 / 9next →File inputs and uploads
← prevnext lesson →
KeepLearningcertificate
for completing
HTML forms
0 of 9 read