{"slug":"auth-keys","title":"Auth keys","tags":["tailscale","auth","access-control"],"agent_summary":"Last validated: Dec 4, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Auth keys\r\n\r\nLast validated: Dec 4, 2025\r\n\r\nAuth keysare available for [all plans](https://tailscale.com/pricing).\r\n\r\nPre-authentication keys (called auth keys) let you register new nodes without needing to sign in using a web browser. This is most useful when spinning up containers, IoT devices, or using infrastructure-as-code systems like Terraform.\r\n\r\nAn auth key authenticates a device as the user who generated the key. That is, if Alice generates an auth key, and uses it to add a server to her tailnet, then that device is authenticated with Alice's identity. Think of it as logging into a device.\r\n\r\nHowever, if you use [tags](https://tailscale.com/docs/features/tags#best-practices) with an auth key, after a device logs in as the user who generated the auth key, the device assumes the identity of the auth key's tags.\r\n\r\nAs an alternative to directly creating auth keys, consider using an [OAuth client](https://tailscale.com/docs/features/oauth-clients). You can use an OAuth client and the [Tailscale API](https://tailscale.com/docs/reference/tailscale-api) to programmatically create auth keys.\r\n\r\n## [Types of auth keys](https://tailscale.com/docs/features/access-control/auth-keys\\#types-of-auth-keys)\r\n\r\nAuth keys can either be:\r\n\r\n- **One-off**, for one-time use. They can only be used to connect a device or server one time. This is meant for situations where you can't authenticate on the device yourself, so using a key is more practical. For example, a cloud server might use a one-off key to connect.\r\n- **Reusable**, for multiple uses. They can be used to connect multiple devices. For example, multiple instances of an on-premises database might use a reusable key to connect.\r\n\r\n**Be very careful with reusable keys!** These can be very dangerous if stolen. They're best kept in a key vault product specially designed for the purpose.\r\n\r\n## [Key expiry](https://tailscale.com/docs/features/access-control/auth-keys\\#key-expiry)\r\n\r\nAn auth key automatically expires after the number of days you specified when you generated the key. You can choose the number of days, between 1 and 90 inclusive, for the key expiry. If you don't specify an expiry time, the auth key will expire after the maximum of 90 days. If you want to continue using an auth key after it expires, you need to generate a new key.\r\n\r\nYou can enable or disable key expiry on a device by using the [Machines](https://login.tailscale.com/admin/machines) page of the admin console and by using the [Update device key](https://tailscale.com/api#tag/devices/POST/device/%7BdeviceId%7D/key) method in the [Tailscale API](https://tailscale.com/docs/reference/tailscale-api).\r\n\r\nIf an auth key expires, any device authorized by it remains authorized until its [node key](https://tailscale.com/docs/features/access-control/key-expiry) expires. Each device generates a node key when you log in to Tailscale and uses it to identify itself to the tailnet. By default, node keys automatically expire every 180 days. You can change the default node key expiry from the **Key Expiry** section of the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console.\r\n\r\n[Review key management](https://tailscale.com/blog/tailscale-key-management#node-keys).\r\n\r\n### [Key expiry for tagged devices](https://tailscale.com/docs/features/access-control/auth-keys\\#key-expiry-for-tagged-devices)\r\n\r\nKey expiry for [tagged](https://tailscale.com/docs/features/tags#best-practices) devices is disabled by default. If you change the tags on the device through the admin console, [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli), or [Tailscale API](https://tailscale.com/docs/reference/tailscale-api), the device's key expiry will not change unless you re-authenticate. That is, if it is enabled, it stays enabled; and if it is disabled, it stays disabled. After you re-authenticate, the device's key expiry will be disabled.\r\n\r\nYou can find recently revoked or expired keys on the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n\r\n## [Generate an auth key](https://tailscale.com/docs/features/access-control/auth-keys\\#generate-an-auth-key)\r\n\r\nYou must be an [Owner, Admin, IT admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to generate a key.\r\n\r\nTo generate an auth key:\r\n\r\n1. Open the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n\r\n2. Select **Generate auth key**.\r\n\r\n3. Fill out the form fields to specify characteristics about the auth key, such as the description, [whether its reusable](https://tailscale.com/docs/features/access-control/auth-keys#types-of-auth-keys), when it expires, and device settings.\r\n\r\nThe device settings section lets you set special characteristic for the auth key:\r\n   - Enable **Ephemeral** to automatically remove the auth key after the device goes offline.\r\n   - Enable **Pre-approved** to automatically authorize a device if you have [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) enabled for your tailnet.\r\n   - Enable **Tags** to automatically [tag](https://tailscale.com/docs/features/tags#best-practices) devices that use the auth key.\r\n4. Select **Generate key**.\r\n\r\n\r\n## [Register a node with the auth key](https://tailscale.com/docs/features/access-control/auth-keys\\#register-a-node-with-the-auth-key)\r\n\r\nWhen you register a node, use the `--auth-key` option in the [`tailscale up`](https://tailscale.com/docs/reference/tailscale-cli/up) command to supply the key and bypass interactive login:\r\n\r\n```shell\r\nsudo tailscale up --auth-key=tskey-abcdef1432341818\r\n```\r\n\r\nTailscale-generated auth keys are case-sensitive.\r\n\r\n## [Revoke an auth key](https://tailscale.com/docs/features/access-control/auth-keys\\#revoke-an-auth-key)\r\n\r\nYou must be an [Owner, Admin, IT admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to revoke a key. And you can revoke only your own keys. Tailscale automatically revokes [one-off keys](https://tailscale.com/docs/features/access-control/auth-keys#authkey-one-off) after they are used.\r\n\r\nTo revoke a key:\r\n\r\n1. Open the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n2. Locate the key in the table at the bottom, and select **Revoke**.\r\n\r\nRevoking a key does not deauthorize nodes using the key. To deauthorize a node, delete it from the [Machines](https://login.tailscale.com/admin/machines) page.\r\n\r\n## [Best practices](https://tailscale.com/docs/features/access-control/auth-keys\\#best-practices)\r\n\r\nDepending on what devices you're authenticating, consider using an auth key that is:\r\n\r\n- **Ephemeral**, for authenticating [ephemeral nodes](https://tailscale.com/docs/features/ephemeral-nodes) as part of short-lived workloads. Because node keys do not persist when a workload restarts, they reconnect as a different node. Tailscale automatically removes inactive nodes. For example, containers or Lambda functions should use an ephemeral key to connect.\r\n- **Pre-approved**, for servers. If your tailnet has [device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval) enabled, this lets you add a device to your tailnet without further authorization. For example, shared devices, such as servers, should use a pre-approved auth key to connect in a network with device approval.\r\n- **Pre-signed**, for nodes whose auth keys are signed locally on a [signing node](https://tailscale.com/docs/features/tailnet-lock#add-a-node-to-a-locked-tailnet), which applies to tailnets with [Tailnet Lock](https://tailscale.com/docs/features/tailnet-lock) enabled. You can make an auth key (created by any means) pre-signed only by using the [`tailscale lock sign`](https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign) CLI command.\r\n- **Tagged**, for servers. You can automatically apply a tag to a device by including the [tag](https://tailscale.com/docs/features/tags#best-practices) in the auth key. Access control policies restricting the device's permissions based on the tag apply after provisioning the device. For example, shared devices, such as servers, should use a tagged auth key to connect.\r\n","html":"<h1>Auth keys</h1>\n<p>Last validated: Dec 4, 2025</p>\n<p>Auth keysare available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<p>Pre-authentication keys (called auth keys) let you register new nodes without needing to sign in using a web browser. This is most useful when spinning up containers, IoT devices, or using infrastructure-as-code systems like Terraform.</p>\n<p>An auth key authenticates a device as the user who generated the key. That is, if Alice generates an auth key, and uses it to add a server to her tailnet, then that device is authenticated with Alice's identity. Think of it as logging into a device.</p>\n<p>However, if you use <a href=\"https://tailscale.com/docs/features/tags#best-practices\">tags</a> with an auth key, after a device logs in as the user who generated the auth key, the device assumes the identity of the auth key's tags.</p>\n<p>As an alternative to directly creating auth keys, consider using an <a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth client</a>. You can use an OAuth client and the <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Tailscale API</a> to programmatically create auth keys.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#types-of-auth-keys\">Types of auth keys</a></h2>\n<p>Auth keys can either be:</p>\n<ul>\n<li><strong>One-off</strong>, for one-time use. They can only be used to connect a device or server one time. This is meant for situations where you can't authenticate on the device yourself, so using a key is more practical. For example, a cloud server might use a one-off key to connect.</li>\n<li><strong>Reusable</strong>, for multiple uses. They can be used to connect multiple devices. For example, multiple instances of an on-premises database might use a reusable key to connect.</li>\n</ul>\n<p><strong>Be very careful with reusable keys!</strong> These can be very dangerous if stolen. They're best kept in a key vault product specially designed for the purpose.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#key-expiry\">Key expiry</a></h2>\n<p>An auth key automatically expires after the number of days you specified when you generated the key. You can choose the number of days, between 1 and 90 inclusive, for the key expiry. If you don't specify an expiry time, the auth key will expire after the maximum of 90 days. If you want to continue using an auth key after it expires, you need to generate a new key.</p>\n<p>You can enable or disable key expiry on a device by using the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console and by using the <a href=\"https://tailscale.com/api#tag/devices/POST/device/%7BdeviceId%7D/key\">Update device key</a> method in the <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Tailscale API</a>.</p>\n<p>If an auth key expires, any device authorized by it remains authorized until its <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">node key</a> expires. Each device generates a node key when you log in to Tailscale and uses it to identify itself to the tailnet. By default, node keys automatically expire every 180 days. You can change the default node key expiry from the <strong>Key Expiry</strong> section of the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console.</p>\n<p><a href=\"https://tailscale.com/blog/tailscale-key-management#node-keys\">Review key management</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#key-expiry-for-tagged-devices\">Key expiry for tagged devices</a></h3>\n<p>Key expiry for <a href=\"https://tailscale.com/docs/features/tags#best-practices\">tagged</a> devices is disabled by default. If you change the tags on the device through the admin console, <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>, or <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Tailscale API</a>, the device's key expiry will not change unless you re-authenticate. That is, if it is enabled, it stays enabled; and if it is disabled, it stays disabled. After you re-authenticate, the device's key expiry will be disabled.</p>\n<p>You can find recently revoked or expired keys on the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key\">Generate an auth key</a></h2>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, IT admin, or Network admin</a> of a tailnet to generate a key.</p>\n<p>To generate an auth key:</p>\n<ol>\n<li>\n<p>Open the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</p>\n</li>\n<li>\n<p>Select <strong>Generate auth key</strong>.</p>\n</li>\n<li>\n<p>Fill out the form fields to specify characteristics about the auth key, such as the description, <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#types-of-auth-keys\">whether its reusable</a>, when it expires, and device settings.</p>\n</li>\n</ol>\n<p>The device settings section lets you set special characteristic for the auth key:</p>\n<ul>\n<li>Enable <strong>Ephemeral</strong> to automatically remove the auth key after the device goes offline.</li>\n<li>Enable <strong>Pre-approved</strong> to automatically authorize a device if you have <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> enabled for your tailnet.</li>\n<li>Enable <strong>Tags</strong> to automatically <a href=\"https://tailscale.com/docs/features/tags#best-practices\">tag</a> devices that use the auth key.</li>\n</ul>\n<ol start=\"4\">\n<li>Select <strong>Generate key</strong>.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#register-a-node-with-the-auth-key\">Register a node with the auth key</a></h2>\n<p>When you register a node, use the <code>--auth-key</code> option in the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/up\"><code>tailscale up</code></a> command to supply the key and bypass interactive login:</p>\n<pre><code class=\"language-shell\">sudo tailscale up --auth-key=tskey-abcdef1432341818\n</code></pre>\n<p>Tailscale-generated auth keys are case-sensitive.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key\">Revoke an auth key</a></h2>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, IT admin, or Network admin</a> of a tailnet to revoke a key. And you can revoke only your own keys. Tailscale automatically revokes <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#authkey-one-off\">one-off keys</a> after they are used.</p>\n<p>To revoke a key:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</li>\n<li>Locate the key in the table at the bottom, and select <strong>Revoke</strong>.</li>\n</ol>\n<p>Revoking a key does not deauthorize nodes using the key. To deauthorize a node, delete it from the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/auth-keys#best-practices\">Best practices</a></h2>\n<p>Depending on what devices you're authenticating, consider using an auth key that is:</p>\n<ul>\n<li><strong>Ephemeral</strong>, for authenticating <a href=\"https://tailscale.com/docs/features/ephemeral-nodes\">ephemeral nodes</a> as part of short-lived workloads. Because node keys do not persist when a workload restarts, they reconnect as a different node. Tailscale automatically removes inactive nodes. For example, containers or Lambda functions should use an ephemeral key to connect.</li>\n<li><strong>Pre-approved</strong>, for servers. If your tailnet has <a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval\">device approval</a> enabled, this lets you add a device to your tailnet without further authorization. For example, shared devices, such as servers, should use a pre-approved auth key to connect in a network with device approval.</li>\n<li><strong>Pre-signed</strong>, for nodes whose auth keys are signed locally on a <a href=\"https://tailscale.com/docs/features/tailnet-lock#add-a-node-to-a-locked-tailnet\">signing node</a>, which applies to tailnets with <a href=\"https://tailscale.com/docs/features/tailnet-lock\">Tailnet Lock</a> enabled. You can make an auth key (created by any means) pre-signed only by using the <a href=\"https://tailscale.com/docs/reference/tailscale-cli/lock#lock-sign\"><code>tailscale lock sign</code></a> CLI command.</li>\n<li><strong>Tagged</strong>, for servers. You can automatically apply a tag to a device by including the <a href=\"https://tailscale.com/docs/features/tags#best-practices\">tag</a> in the auth key. Access control policies restricting the device's permissions based on the tag apply after provisioning the device. For example, shared devices, such as servers, should use a tagged auth key to connect.</li>\n</ul>\n"}