UX Patterns Guide
UI + UX Error Prevention And Recovery established

Typed confirmation

Require users to type a visible, exact target phrase such as a repository path, project slug, workspace name, or short destructive phrase before enabling the final commit, while preserving the broader consequence review and safe cancellation path.

Open in lab Compare alternatives
Decision first

Choose this pattern when the problem matches

Use when

  • A severe action affects repository, project, workspace, account, production, security, billing, or organization-wide scope.
  • The user could plausibly select or confirm the wrong target without reproducing its identifier.
  • The target identifier is short enough, stable enough, and safe enough to show and type.
  • The typed gate can be paired with loss inventory and safe cancellation rather than replacing them.

Avoid when

  • The action is routine, reversible, local, or recoverable through undo or trash restore.
  • The required phrase would be long, hidden, localized unpredictably, inaccessible, or hard to type on supported devices.
  • The text users would type is a secret, password, token, or credential.
  • The action needs a longer dependency-resolution workflow before users can reasonably confirm.
  • The confirmation adds no target certainty beyond a clear destructive review.

Problem it prevents

For severe destructive or irreversible actions, users can still confirm the wrong target if the final review only uses buttons, checkboxes, or generic phrases that do not force them to attend to the exact object or scope.

Pattern anatomy

What a strong implementation has to make clear

User need

The action affects broad, production, security-sensitive, account-level, repository-level, or organization-level scope.

Pattern promise

Require users to type a visible, exact target phrase such as a repository path, project slug, workspace name, or short destructive phrase before enabling the final commit, while preserving the broader consequence review and safe cancellation path.

Required state

No-typed-gate state for actions that do not need target-text escalation.

Recovery path

The gate proves only that users can type DELETE, not that they recognized the object.

Access contract

Associate the input with a label that includes or references the required phrase.

Quality bar

The difference between expert and weak execution

Strong implementation

Specific, visible, recoverable

  • Delete repository acme/payments-api? requires typing acme/payments-api, shows a mismatch until the exact path matches, and then enables Delete repository.
  • Delete production dataset ledger-prod? shows the dataset name, region, dependent jobs, and a visible field where users type ledger-prod before final deletion.
  • A user starts deleting acme/payments-api, mistypes the repository path, sees the mismatch, and cancels before deleting the wrong repository.
  • A user pastes a project path with a trailing space, sees that normalization trimmed whitespace but still requires the exact path text.
Weak implementation

Vague, hidden, hard to recover from

  • A dialog asks users to type YES before deleting a workspace, so the text does not verify the target object.
  • The typed field is masked like a password, making users unable to check the repository name they entered.
  • A user types DELETE by habit and passes the gate without checking which workspace will be removed.
  • A user on mobile cannot reproduce a hidden Unicode character in the required phrase and cannot finish the legitimate action.
UI guidance
  • Render a visible non-secret text field inside a destructive or high-consequence confirmation, labelled with the exact target phrase the user must type before the final action enables.
  • Place the required phrase, match rule, mismatch status, safe cancellation, and final destructive button in the same review surface so users can compare what they type against the actual object.
UX guidance
  • Use typed confirmation only when reproducing the target phrase meaningfully reduces severe wrong-object or wrong-scope mistakes, such as deleting a repository, project, account, workspace, production dataset, or root credential.
  • Treat typed confirmation as an escalation on top of consequence review: it verifies target intent but does not replace loss inventory, dependency checks, permissions, audit, recovery limits, or safe cancellation.
Implementation contract

What the implementation must handle

States

  • No-typed-gate state for actions that do not need target-text escalation.
  • Required phrase state showing the exact target phrase to reproduce.
  • Empty input state with the final action disabled.
  • Mismatch state explaining what does not match without committing the action.

Interaction

  • The required phrase is visible in the same confirmation surface as the input field.
  • The input stores ordinary text and must not use password masking or browser password managers.
  • The final action starts disabled and remains disabled until the typed value satisfies the documented match rule.
  • Changing the target object, selected scope, account, locale, or destructive mode clears the typed value.

Accessibility

  • Associate the input with a label that includes or references the required phrase.
  • Do not hide the typed value; typed confirmation is visible target text, not secret input.
  • Expose mismatch and exact-match status through text and programmatic status, not color alone.
  • Keep the safe cancellation path keyboard reachable and visible after the input.

Review

  • What exact wrong-object mistake does typing the phrase prevent?
  • Is the required phrase stable, visible, unique, and typeable on mobile?
  • What normalization rule decides a match, and is it explained to users?
  • What clears stale typed text when target or scope changes?
Interactive lab

Inspect the states before you copy the pattern

Type the exact target before severe commit

Type and paste repository names, inspect mismatch and exact-match states, switch targets to clear stale input, resolve dependency blocking, commit once, and compare yes-only, masked field, partial match, stale target, impossible phrase, and logging-risk misuse.

Typed confirmation
Interactive demo is ready

Launch the live UI/UX lab when you want to inspect states, keyboard behavior, and common failure modes.

State To Inspect

No-typed-gate state for actions that do not need target-text escalation.

Keyboard / Access

Tab reaches the required phrase context, typed confirmation input, safe action, and disabled or enabled final action in a predictable order.

Avoid Generating

Requiring users to type yes, confirm, or delete instead of the target name.
Evidence trail

Source-backed claims behind this guidance

GitLab Docs: Delete a project

GitLab - checked

GitLab project deletion requires entering the project name in the confirmation dialog before deleting.

Full agent/debug reference

Problem Context

  • The action affects broad, production, security-sensitive, account-level, repository-level, or organization-level scope.
  • A wrong-object mistake would be difficult or impossible to recover from even after ordinary destructive confirmation.
  • The target has a stable identifier users can read and type, such as owner/name, project slug, dataset name, account email, or a short action phrase.
  • The interface already has a destructive action confirmation or high-consequence dialog where typed confirmation can be added without hiding loss information.

Selection Rules

  • Choose typed confirmation when exact target reproduction materially lowers the risk of deleting or resetting the wrong object.
  • Use a target-specific required phrase such as owner/repository, namespace/project, workspace slug, dataset name, or account email.
  • Use a short action phrase only when no stable object identifier exists, and keep it specific to the destructive act.
  • Keep typed confirmation visible and unmasked; it is not a password or secret.
  • Disable the final action until the match rule passes and any dependency or acknowledgement requirements are satisfied.
  • Explain whether matching is case-sensitive, whitespace-normalized, locale-aware, or requires the full path.
  • Do not ask for typed confirmation on routine actions, soft delete to trash, reversible cleanup, or high-frequency flows.
  • Do not use typed confirmation as the only safeguard for broad deletion; still show scope, loss inventory, permissions, recovery limits, and final status.
  • Prefer ordinary destructive action confirmation when the object name is short, low-risk, or already unambiguous enough that typing adds only friction.

Required States

  • No-typed-gate state for actions that do not need target-text escalation.
  • Required phrase state showing the exact target phrase to reproduce.
  • Empty input state with the final action disabled.
  • Mismatch state explaining what does not match without committing the action.
  • Exact-match state enabling the final action only after all other blockers pass.
  • Pasted text and whitespace state that handles trailing spaces, line breaks, and copy errors predictably.
  • Target changed state that clears stale typed text when the selected object changes.
  • Dependency-blocked state where exact match is not enough until jobs, locks, permissions, or billing blockers resolve.
  • Committed outcome state that reports the severe action after deliberate typed confirmation.

Interaction Contract

  • The required phrase is visible in the same confirmation surface as the input field.
  • The input stores ordinary text and must not use password masking or browser password managers.
  • The final action starts disabled and remains disabled until the typed value satisfies the documented match rule.
  • Changing the target object, selected scope, account, locale, or destructive mode clears the typed value.
  • Mismatch feedback updates as users type without announcing every character as an error.
  • Pasting is allowed unless policy has a strong reason to block it; pasted values still pass through the same match rule.
  • The safe cancel action remains available before and after typing.
  • The typed phrase is not logged in analytics unless it is already a non-sensitive public identifier and logging is explicitly safe.

Implementation Checklist

  • Select the shortest stable phrase that uniquely identifies the target and can be typed on supported devices.
  • Display the required phrase in selectable text near the input label.
  • Define match normalization for case, Unicode normalization, leading and trailing whitespace, line breaks, and locale.
  • Use an ordinary text input with autocomplete off when appropriate, not a password field.
  • Clear the field when target, scope, account, or destructive action changes.
  • Pair the typed gate with loss inventory, dependency checks, safe cancellation, and duplicate-submit prevention.
  • Show mismatch and exact-match status without relying only on color.
  • Test keyboard entry, paste, screen-reader labels, mobile keyboards, zoom, long repository paths, and localized object names.
  • Avoid collecting typed confirmation text in analytics, replay, logs, or crash reports when it may contain private identifiers.

Common Generated-UI Mistakes

  • Requiring users to type yes, confirm, or delete instead of the target name.
  • Masking typed confirmation as if it were a password.
  • Accepting partial, stale, or wrong-target text.
  • Making typed confirmation the only safeguard while hiding the loss inventory.
  • Using typed confirmation for every delete action until users memorize the ritual.
  • Blocking paste or mobile entry in ways that make legitimate confirmation harder than the risk warrants.
  • Logging typed private object names through analytics or session replay.

Critique Questions

  • What exact wrong-object mistake does typing the phrase prevent?
  • Is the required phrase stable, visible, unique, and typeable on mobile?
  • What normalization rule decides a match, and is it explained to users?
  • What clears stale typed text when target or scope changes?
  • Does the field behave like visible text rather than a password?
  • Would ordinary destructive confirmation, undo, or restore-from-trash be enough?
  • What evidence proves the final action stayed disabled until the exact match and other blockers passed?
Accessibility
  • Associate the input with a label that includes or references the required phrase.
  • Do not hide the typed value; typed confirmation is visible target text, not secret input.
  • Expose mismatch and exact-match status through text and programmatic status, not color alone.
  • Keep the safe cancellation path keyboard reachable and visible after the input.
  • Avoid live-region noise on every keystroke; announce meaningful state changes such as match, mismatch after blur, and final action enabled.
  • Ensure long identifiers wrap and can be selected or copied without layout shift.
  • Support paste and input methods used by assistive technology unless a documented policy blocks paste.
Keyboard Behavior
  • Tab reaches the required phrase context, typed confirmation input, safe action, and disabled or enabled final action in a predictable order.
  • The destructive trigger opens the review; Enter inside the typed field should not commit while the final action is disabled.
  • The final action becomes reachable only after exact match and other blockers pass.
  • Escape or the safe action cancels without preserving stale typed text for a different target.
  • When the target changes, focus remains predictable and the cleared input is announced or visibly indicated.
  • After commit, focus moves to a stable deleted-status message or parent list.
Variants
  • Repository path typed confirmation
  • Project slug typed confirmation
  • Workspace name typed confirmation
  • Account email typed confirmation
  • Production dataset typed confirmation
  • Root key reset typed confirmation
  • Short phrase typed confirmation
  • Case-sensitive typed confirmation

Verification

Last verified: