{"slug":"device-approval","title":"Device approval","tags":["tailscale","access-control","devices"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Device approval\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nDevice approval is a feature that lets Tailscale network administrators\r\nreview and approve new devices before they can join your Tailscale network (known as a tailnet). Use device approval to ensure only trusted devices, such as workplace-managed laptops and\r\nphones, can access a network.\r\n\r\nDevice approvalis available for [all plans](https://tailscale.com/pricing).\r\n\r\n## [Enable device approval for your network](https://tailscale.com/docs/features/access-control/device-management/device-approval\\#enable-device-approval-for-your-network)\r\n\r\nYou must be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to enable device approval.\r\n\r\nEnable device approval from the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console.\r\n\r\n![Enable device approval in the admin console.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-approval.a39f688e.png&w=3840&q=75)\r\n\r\n## [Approve devices from the admin console](https://tailscale.com/docs/features/access-control/device-management/device-approval\\#approve-devices-from-the-admin-console)\r\n\r\nYou must be an [Owner, Admin, or IT admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to approve devices.\r\n\r\nOnce this setting is enabled, a new device that accesses your network displays a\r\nnotification that the device is awaiting approval. A device awaiting approval\r\ncannot send or receive traffic on your Tailscale network until it is approved.\r\n\r\n![A notification informs the user that their device is awaiting approval.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapprove-device-warning.03add323.png&w=3840&q=75)\r\n\r\nTo approve devices, open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\nAt the top of the list you will find the device with a **Needs approval**\r\nbadge beneath it.\r\n\r\n![A device needing approval displays the Needs approval badge.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapprove-device-tag.964c17f8.png&w=1080&q=75)\r\n\r\nYou can review details about the device and user before deciding whether to\r\napprove it. When you're ready to approve the device, select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu and\r\nselect **Approve** to allow the device to connect to your network.\r\n\r\n![Approve the device to connect to your network.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapprove-device.5f06e0fc.png&w=828&q=75)\r\n\r\nAfter approval, the device will immediately be able to connect.\r\nNo restarts or toggling needed.\r\n\r\n## [Pre-approve devices with an auth key](https://tailscale.com/docs/features/access-control/device-management/device-approval\\#pre-approve-devices-with-an-auth-key)\r\n\r\nWhen you generate a new [auth key](https://tailscale.com/docs/features/access-control/auth-keys), you can specify that the key should automatically approve devices for which the auth key is used.\r\n\r\nTo do this, you must:\r\n\r\n1. Generate an auth key which is pre-approved.\r\n2. Then, specify that auth key when authenticating a device. The device is automatically approved.\r\n\r\n### [Generate an auth key which is pre-authorized](https://tailscale.com/docs/features/access-control/device-management/device-approval\\#generate-an-auth-key-which-is-pre-authorized)\r\n\r\nYou must be an [Owner, Admin, IT admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to generate an auth key.\r\n\r\nYou can generate an auth key with a tag by using the admin console or by using the API.\r\n\r\nIn the admin console:\r\n\r\n1. Go to the [Keys](https://login.tailscale.com/admin/settings/keys) page in the admin console.\r\n2. In the **Auth keys** section, select **Generate auth key**.\r\n3. Select **Pre-approved**. This option is only available if device approval is enabled for the tailnet.\r\n4. Select **Generate** to generate the auth key.\r\n\r\n## [Automate device approval](https://tailscale.com/docs/features/access-control/device-management/device-approval\\#automate-device-approval)\r\n\r\nWhen using device approval, you can create a flow to automatically approve a device if it meets specific criteria, such as being on an internal device registry or passing a third-party posture check.\r\n\r\n1. Configure a [webhook](https://tailscale.com/docs/features/webhooks) for [`nodeNeedsApproval`](https://tailscale.com/docs/features/webhooks#events).\r\n2. Upon receiving webhook messages, verify the node against the information that you need.\r\n3. Approve the device by sending a POST request to the [device authorization API](https://tailscale.com/api#tag/devices/POST/device/%7BdeviceId%7D/authorized). For example:\r\n\r\n```shell\r\ncurl \"https://api.tailscale.com/api/v2/device/11055/authorized\" \\\r\n-u \"tskey-api-xxxxx:\" \\\r\n--data-binary '{\"authorized\": true}'\r\n```\r\n\r\nYou can also revoke the authorization for a device by calling the same API with `{\"authorized\": false}` as the payload.\r\n\r\n## [Limitations](https://tailscale.com/docs/features/access-control/device-management/device-approval\\#limitations)\r\n\r\nDevice approval applies to actual devices (like phones, laptops, or virtual machines) rather than tailnet nodes that appear in the admin console. A node is owned by a particular user or a tag, while a device could be shared between multiple users. For a shared device, approval will only be required once, regardless of how many users share it or the number of tailnet nodes created with it. Use [device postures](https://tailscale.com/docs/features/device-posture) for more granular node access management.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Device approval</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>Device approval is a feature that lets Tailscale network administrators\r\nreview and approve new devices before they can join your Tailscale network (known as a tailnet). Use device approval to ensure only trusted devices, such as workplace-managed laptops and\r\nphones, can access a network.</p>\n<p>Device approvalis available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#enable-device-approval-for-your-network\">Enable device approval for your network</a></h2>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> of a tailnet to enable device approval.</p>\n<p>Enable device approval from the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fenable-approval.a39f688e.png&#x26;w=3840&#x26;q=75\" alt=\"Enable device approval in the admin console.\"></p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#approve-devices-from-the-admin-console\">Approve devices from the admin console</a></h2>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or IT admin</a> of a tailnet to approve devices.</p>\n<p>Once this setting is enabled, a new device that accesses your network displays a\r\nnotification that the device is awaiting approval. A device awaiting approval\r\ncannot send or receive traffic on your Tailscale network until it is approved.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapprove-device-warning.03add323.png&#x26;w=3840&#x26;q=75\" alt=\"A notification informs the user that their device is awaiting approval.\"></p>\n<p>To approve devices, open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.\r\nAt the top of the list you will find the device with a <strong>Needs approval</strong>\r\nbadge beneath it.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapprove-device-tag.964c17f8.png&#x26;w=1080&#x26;q=75\" alt=\"A device needing approval displays the Needs approval badge.\"></p>\n<p>You can review details about the device and user before deciding whether to\r\napprove it. When you're ready to approve the device, select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu and\r\nselect <strong>Approve</strong> to allow the device to connect to your network.</p>\n<p><img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fapprove-device.5f06e0fc.png&#x26;w=828&#x26;q=75\" alt=\"Approve the device to connect to your network.\"></p>\n<p>After approval, the device will immediately be able to connect.\r\nNo restarts or toggling needed.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#pre-approve-devices-with-an-auth-key\">Pre-approve devices with an auth key</a></h2>\n<p>When you generate a new <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a>, you can specify that the key should automatically approve devices for which the auth key is used.</p>\n<p>To do this, you must:</p>\n<ol>\n<li>Generate an auth key which is pre-approved.</li>\n<li>Then, specify that auth key when authenticating a device. The device is automatically approved.</li>\n</ol>\n<h3><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#generate-an-auth-key-which-is-pre-authorized\">Generate an auth key which is pre-authorized</a></h3>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, IT admin, or Network admin</a> of a tailnet to generate an auth key.</p>\n<p>You can generate an auth key with a tag by using the admin console or by using the API.</p>\n<p>In the admin console:</p>\n<ol>\n<li>Go to the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page in the admin console.</li>\n<li>In the <strong>Auth keys</strong> section, select <strong>Generate auth key</strong>.</li>\n<li>Select <strong>Pre-approved</strong>. This option is only available if device approval is enabled for the tailnet.</li>\n<li>Select <strong>Generate</strong> to generate the auth key.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#automate-device-approval\">Automate device approval</a></h2>\n<p>When using device approval, you can create a flow to automatically approve a device if it meets specific criteria, such as being on an internal device registry or passing a third-party posture check.</p>\n<ol>\n<li>Configure a <a href=\"https://tailscale.com/docs/features/webhooks\">webhook</a> for <a href=\"https://tailscale.com/docs/features/webhooks#events\"><code>nodeNeedsApproval</code></a>.</li>\n<li>Upon receiving webhook messages, verify the node against the information that you need.</li>\n<li>Approve the device by sending a POST request to the <a href=\"https://tailscale.com/api#tag/devices/POST/device/%7BdeviceId%7D/authorized\">device authorization API</a>. For example:</li>\n</ol>\n<pre><code class=\"language-shell\">curl \"https://api.tailscale.com/api/v2/device/11055/authorized\" \\\r\n-u \"tskey-api-xxxxx:\" \\\r\n--data-binary '{\"authorized\": true}'\n</code></pre>\n<p>You can also revoke the authorization for a device by calling the same API with <code>{\"authorized\": false}</code> as the payload.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/device-management/device-approval#limitations\">Limitations</a></h2>\n<p>Device approval applies to actual devices (like phones, laptops, or virtual machines) rather than tailnet nodes that appear in the admin console. A node is owned by a particular user or a tag, while a device could be shared between multiple users. For a shared device, approval will only be required once, regardless of how many users share it or the number of tailnet nodes created with it. Use <a href=\"https://tailscale.com/docs/features/device-posture\">device postures</a> for more granular node access management.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}