{"slug":"group-devices-with-tags","title":"Group devices with tags","tags":["tailscale","devices"],"agent_summary":"Last validated: Dec 4, 2025","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Group devices with tags\r\n\r\nLast validated: Dec 4, 2025\r\n\r\nTagsare available for [all plans](https://tailscale.com/pricing).\r\n\r\nAll plans include 50 tagged devices. If you need more than 50 tagged devices, contact our [Sales team](https://tailscale.com/contact/sales).\r\n\r\nTailscale tags are how you authenticate and identify non-user devices, such as servers and [ephemeral nodes](https://tailscale.com/docs/features/ephemeral-nodes). They serve two primary purposes: to provide an identity to non-user devices and to let you manage [access control policies](https://tailscale.com/docs/features/access-control) based on _purpose_. In this context, a purpose could be anything from hosting a web server to serving as a [subnet router](https://tailscale.com/docs/features/subnet-routers) for employees in a specific geographic location.\r\n\r\nTags are essentially service accounts, but with more flexibility⎯you can assign multiple tags to a device to account for multiple purposes. For example, you might have a device that runs a PostgreSQL database and serves as a web server for internal access. In such a scenario, you could assign the device the following tags (each of which you could target individually using access control policies): `tag:postgresql`, `tag:internal-access`, and `tag:web-server`.\r\n\r\nOther key characteristics of tags include:\r\n\r\n- Applying a tag to a device removes any user-based authentication.\r\n- Each non-user device can have as many tags as you need.\r\n- Tags are defined in the tailnet policy file in the `tagOwners` section.\r\n- Only designated tag owners can apply tags to devices; each tag can have as many owners as necessary.\r\n\r\n## [Requirements](https://tailscale.com/docs/features/tags\\#requirements)\r\n\r\nTags are a free feature and are available for all pricing plans. However, you must have permission to perform some tag-related operations:\r\n\r\n- You must be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to define a tag in the tailnet policy file.\r\n- You must be a tag owner to assign a tag to a device. [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) can apply any tag, even if they don't own the tag.\r\n\r\n## [Limitations](https://tailscale.com/docs/features/tags\\#limitations)\r\n\r\nTags have the following limitations and restrictions:\r\n\r\n- You cannot remove all tags from a device. A device with a tag-based identity must have at least one tag.\r\n- You cannot remove tags using the `--advertise-tags` flag if the device uses an auth key. Instead, generate a new auth key with the latest set of tags.\r\n- [IP sets](https://tailscale.com/docs/features/tailnet-policy-file/ip-sets) do not support tags.\r\n- Devices with a tag-based identity can only SSH into other tagged devices; they cannot SSH into devices with a user-based identity.\r\n- Some restrictions exist around using tags to define a group or as the SSH source.\r\n\r\n## [Use cases](https://tailscale.com/docs/features/tags\\#use-cases)\r\n\r\nTags are ideal for managing devices you don't want to link to a specific user (such as a server hosting a web application) because removing a user also removes all their devices. If you link a service-providing device to a user, you lose that device if you remove the user. Removing a user won't affect the device if you use tags to manage the device instead. Do not use tags to associate a user device with a user account. Tags are not designed to tie individual users to a device. They're intended to manage devices with service account roles. Using tags as a substitute for users poses a security risk because the user's devices will remain on your network even if you remove the user.\r\n\r\nTags provide a way to allow multiple users to manage a device. When you manage devices with users, you must link each device to a single user, which isn't ideal for devices that host shared resources. However, when you manage devices with tags, you can assign one or more users as tag owners with tags. These users can manage all the devices with the tags they own.\r\n\r\n**Warnings about tags**\r\n\r\nOnly use tags for non-human machines. Users can only access and use Tailscale through their designated user accounts. Using tags to annotate user devices is poor practice because a device cannot simultaneously have a user and a tag. Adding a tag to a device removes the associated user. Devices can have tags or a user account, not both.\r\n\r\nUse tags to:\r\n\r\n- Manage devices you don't have tied to a specific user (such as a server hosting a web application).\r\n- Manage devices you want to allow multiple users to manage.\r\n\r\nDo not use tags to:\r\n\r\n- Annotate user devices.\r\n- Link a user device with a user.\r\n- Authenticate end-user devices, such as laptops or mobile devices.\r\n\r\n## [Ownership](https://tailscale.com/docs/features/tags\\#ownership)\r\n\r\nThere's no \"tag\" section of the tailnet policy file. Instead, you define tags by their owners in the `tagOwners` section of the tailnet policy file. Only owners of a tag can apply that tag to devices in your Tailscale network (known as a tailnet). Tag owners can be users, groups, or even other tags, which means you can create complex tag [ownership hierarchies](https://tailscale.com/docs/features/tags#advanced-tag-hierarchies).\r\n\r\nA tagged device's identity is the combination of all its tags (not the intersection). You can assign any number of tags to a device and manage the permissions for each tag separately. For example, if you have a device with the tags `tag:postgresql`, `tag:prod`, and `tag:ci-cd`, an access control policy for any one of these tags would apply to the device.\r\n\r\n[Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) can apply any tag, even if they aren't tag owners.\r\n\r\n## [Tag vs. user authentication](https://tailscale.com/docs/features/tags\\#tag-vs-user-authentication)\r\n\r\nTags are parallel to user authentication. They serve the same role as a user account, except they're intended for service-based devices, such as a web server or an app connector. As a result, it's impossible for a user account identity and a tag identity to exist on the same device. Applying a tag to a device previously authenticated with a user account removes the user account. Similarly, authenticating a device with a user account removes all tags from the device.\r\n\r\nBecause tags are for non-user devices, they have qualities and limitations that make them unsuitable for authenticating end-user devices, such as a MacBook or a mobile device. For example, devices with a tag-based identity cannot use SSH to connect to a device with a user-based identity.\r\n\r\n## [Key expiry](https://tailscale.com/docs/features/tags\\#key-expiry)\r\n\r\nWhen you apply a tag to a device for the first time and authenticate it, the tagged device's key expiry is disabled by default.\r\n\r\nIf you re-authenticate a device tagged before March 10, 2022, its expiry will be disabled by default.\r\n\r\nIf you change the tags on the device from the admin console, [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli), or the [Tailscale API](https://tailscale.com/docs/reference/tailscale-api), the device's key expiry will not change unless you re-authenticate. After you re-authenticate, Tailscale disables the device's key expiry.\r\n\r\nYou can enable or disable key expiry on a device from the [Machines](https://login.tailscale.com/admin/machines) page of the admin console or by using the Tailscale API.\r\n\r\n## [Tags in the Tailscale ecosystem](https://tailscale.com/docs/features/tags\\#tags-in-the-tailscale-ecosystem)\r\n\r\nLike many aspects of a tailnet, you can define and manage tags in the tailnet policy file. While limitations prevent you from using them to authenticate end-user devices, they work seamlessly with nearly every other Tailscale feature, including exit nodes, subnet routers, app connectors, access control lists, and grants.\r\n\r\n### [Exit nodes](https://tailscale.com/docs/features/tags\\#exit-nodes)\r\n\r\nUsing a device as an [exit node](https://tailscale.com/docs/features/exit-nodes) means that other tailnet devices can choose to route all their internet traffic through that device. Routing all traffic through an exit node lets you encrypt internet traffic and access internal networks. For example, you could run a device as an exit node in a corporate office. That way, employees can access the corporate office's internal network when they use that exit node. Although end-user devices can function as exit nodes, it's more common for exit nodes to use a tag-based identity.\r\n\r\n### [Subnet routers](https://tailscale.com/docs/features/tags\\#subnet-routers)\r\n\r\nA [subnet router](https://tailscale.com/docs/features/subnet-routers) is a tailnet device you use to advertise subnet routes to the rest of your tailnet. They're a great way to add entire subnets to your tailnet without installing the Tailscale client to any of the devices (except the subnet router). Although end-user devices can function as subnet routers, it's more common for subnet routers to use a tag-based identity.\r\n\r\n### [App connectors](https://tailscale.com/docs/features/tags\\#app-connectors)\r\n\r\nAn [app connector](https://tailscale.com/docs/features/app-connectors) is a device that routes app-specific traffic in your tailnet. A device running as an app connector is strictly a service-based device. As a result, you must use a tag-based identity to authenticate a device you plan to use as an app connector.\r\n\r\n### [Access controls](https://tailscale.com/docs/features/tags\\#access-controls)\r\n\r\nYou can use tags to select and target service-based devices in your tailnet to create access control policies using ACLs and grants. Because Tailscale can identify tagged devices by any one of their assigned tags, the access control policies that apply to a device with many tags could become complex. As a result, it's best practice to maintain clear documentation of how you leverage and manage tags in your tailnet.\r\n\r\n#### [ACLs](https://tailscale.com/docs/features/tags\\#acls)\r\n\r\nYou can use tags as part of [access control lists (ACLs)](https://tailscale.com/docs/features/access-control/acls) to make it easier to manage which types of devices should be able to communicate. For example, you might use a tag named `tag:prod` for production servers and production databases, then allow all devices with the `tag:prod` tag to communicate with each other.\r\n\r\nThe following example [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file) lets all devices tagged `tag:prod` communicate with each other.\r\n\r\n```json\r\n{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"tag:prod\"],\\\r\n      \"dst\": [\"tag:prod:*\"],\\\r\n    },\\\r\n  ],\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nYou can also ensure that the ACLs for your tagged devices work as expected with [tests](https://tailscale.com/docs/reference/syntax/policy-file#tests), which verify your tailnet policy file before saving and applying it.\r\n\r\nFor example, to verify that your tailnet policy file lets users in the `tag:sre` group to access devices tagged `tag:prod`, you might write an ACL like the following example:\r\n\r\n```json\r\n\"tests\": [\\\r\n  {\\\r\n    \"src\": \"group:sre\",\\\r\n    \"accept\": [\"tag:prod:1234\"],\\\r\n  },\\\r\n],\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n#### [Grants](https://tailscale.com/docs/features/tags\\#grants)\r\n\r\nLike ACLs, you can use tags in grants to target a group of tagged devices. The following example grants devices with the `tag:prod` tag access to devices with the `tag:tailsql` tag.\r\n\r\n```json\r\n{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"tag:prod\"],\\\r\n      \"dst\": [\"tag:tailsql\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ]\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n### [Autogroups](https://tailscale.com/docs/features/tags\\#autogroups)\r\n\r\n[Autogroups](https://tailscale.com/docs/reference/targets-and-selectors) are pre-defined groups of devices in your tailnet that would be difficult to create as custom groups. One of these autogroups is `autogroup:tagged`, which selects all devices with a tag-based identity.\r\n\r\nYou cannot use `autogroup:tagged` to define an IP set or a custom group.\r\n\r\n## [Advanced tag hierarchies](https://tailscale.com/docs/features/tags\\#advanced-tag-hierarchies)\r\n\r\nDesignating tag owners is flexible by design. You can assign as many tag owners as you need to a device, and these tag owners can be users, groups, or other tags. Because you can assign a tag as an owner of another tag, it's possible to create complex hierarchies of tag ownership. As a result, it's best practice to maintain clear documentation of how you use tags and to audit tags using tools such as [access control policy tests](https://tailscale.com/docs/reference/syntax/policy-file#tests).\r\n\r\n## [Best practices](https://tailscale.com/docs/features/tags\\#best-practices)\r\n\r\nTo leverage tags effectively, consider the following best practices:\r\n\r\n- **Define clear naming conventions for tags**. Ideally, tag names should follow a consistent and descriptive pattern throughout your tailnet. Defining and enforcing a naming convention early on reduces the likelihood of problems such as ambiguous tag names later on. For example, a tag named \"foo-bar\" doesn't tell you anything about what the tag is intended for, but a tag name \"prod-postgresql-server\" tells you that the tag is for PostgreSQL servers in a production environment. However, even with descriptive names, it's a good idea to document your organization's tag conventions.\r\n- **Use auth keys**. By using [auth keys](https://tailscale.com/docs/features/access-control/auth-keys) with pre-assigned tags, you can streamline the process of authenticating and approving tagged devices.\r\n- **Don't use tags to authenticate user-owned devices**. Tags are intended to authenticate servers and devices that provide a service, which means they have qualities that make them unsuitable for end-user devices, such as a MacBook or an Android phone. Additionally, a device cannot simultaneously use tag-based and user-based identities. Adding a tag to a previously user-authenticated device removes the user's identity.\r\n- **Carefully consider each tag's owners**. Tags are defined by their owners in the `tagOwners` section of the tailnet policy file. Because of their flexibility and the ability for a tag to own another tag, tags can take on [complex ownership hierarchies](https://tailscale.com/docs/features/tags#advanced-tag-hierarchies).\r\n\r\n### [Common patterns for tag names](https://tailscale.com/docs/features/tags\\#common-patterns-for-tag-names)\r\n\r\nTags let you reflect access patterns and network segments based on your organization's requirements. These access patterns and network segments usually fall into a few common categories. Use consistent patterns for tag names based on these categories to make your access control policies easier to understand and maintain over time. Some common categories of access to consider in your tag names are:\r\n\r\n- **Server role**: for example, application server, database, or queue.\r\n- **Application name**: for example, support console, finance reporting, or operations dashboard.\r\n- **Environment**: for example, production, staging, or development\r\n- **Location**: for example, Americas, EMEA, South Asia.\r\n\r\nWhile a device can have many tags assigned to it, tags are not \"joined\" for access rules. For example, you cannot define a rule that permits access to devices with both `tag:prod` and `tag:database`. Instead, you can use a composite tag such as `tag:prod-database` to represent this type of segmented access pattern. Below are some examples of composite tags.\r\n\r\n| **Tag** | **Access control** |\r\n| --- | --- |\r\n| `tag:prod-app` | To production application servers |\r\n| `tag:nonprod-db` | To non-production database servers |\r\n| `tag:prod-app-finance-reporting` | To the production finance reporting application |\r\n| `tag:prod-emea-app-support-console` | To the production support console application in EMEA |\r\n| `tag:prod-asiasouth-ingest-logging` | To the production logging ingest endpoint in South Asia. |\r\n\r\n## [Working with tags](https://tailscale.com/docs/features/tags\\#working-with-tags)\r\n\r\nUse the following sections to find more information about working with tags:\r\n\r\n- [Define a tag](https://tailscale.com/docs/features/tags#define-a-tag).\r\n- [Define tag owners](https://tailscale.com/docs/features/tags#define-tag-owners).\r\n- [Apply tags to a device](https://tailscale.com/docs/features/tags#apply-a-tag-to-a-device).\r\n- [Apply a tag from another tag](https://tailscale.com/docs/features/tags#apply-a-tag-from-another-tag).\r\n\r\n### [Define a tag](https://tailscale.com/docs/features/tags\\#define-a-tag)\r\n\r\nBefore assigning a tag to a device, you must create the tag in the [tailnet policy file](https://tailscale.com/docs/reference/syntax/policy-file) and define who can use that tag to authenticate devices. You create a tag by defining it in the [`tagOwners`](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) section of the tailnet policy file.\r\n\r\nThe following example creates the tag `tag:server` and assigns `dave@example.com` as the sole owner. Only the tag owner can apply the tag.\r\n\r\n```json\r\n{\r\n  \"tagOwners\": {\r\n    \"tag:server\": [\"dave@example.com\"], // dave@example.com can authenticate devices with the tag:server tag\r\n  }\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nTailscale ignores tag name case and parses all tags in the tailnet policy file as lowercase.\r\n\r\n### [Define tag owners](https://tailscale.com/docs/features/tags\\#define-tag-owners)\r\n\r\nYou must explicitly define who can use a tag to grant its permissions on a device. You can define tag owners in the [`tagOwners`](https://tailscale.com/docs/reference/syntax/policy-file#tag-owners) section of the tailnet policy file.\r\n\r\nA tag can also have an empty list of owners in the tailnet policy file. All tags are implicitly owned by [Owners, Admins, and Network admins](https://tailscale.com/docs/reference/user-roles) of a tailnet. You can apply these tags to devices from the admin console and as part of an [auth key](https://tailscale.com/docs/features/access-control/auth-keys).\r\n\r\nThe following example shows the `tag:infrastructure` with no tag owners.\r\n\r\n```json\r\n{\r\n  \"tagOwners\": {\r\n    \"tag:server\": [\"dave@tailscale.com\"],\r\n    \"tag:infrastructure\": [], // No tag owners defined\r\n  }\r\n}\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\n### [Apply a tag to a device](https://tailscale.com/docs/features/tags\\#apply-a-tag-to-a-device)\r\n\r\nYou can tag devices using the admin console, the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli), or the Tailscale API.\r\n\r\nWhen you re-authenticate and tag a device, it generates a new [node key](https://tailscale.com/docs/concepts/node-keys) for the device. The [Tailscale IP address](https://tailscale.com/docs/concepts/tailscale-ip-addresses) for the device does not change.\r\n\r\n#### [Apply a tag to a device in the admin console](https://tailscale.com/docs/features/tags\\#apply-a-tag-to-a-device-in-the-admin-console)\r\n\r\nYou must be an [Owner, Admin, or Network admin](https://tailscale.com/docs/reference/user-roles) of a tailnet to tag a device from the [admin console](https://login.tailscale.com/admin). You don't need to re-authenticate because the current user is automatically used to authenticate the device.\r\n\r\nTo tag a device from the admin console:\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page in the admin console.\r\n2. Find the row corresponding to the device you are interested in.\r\n3. Select on the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu at the far right, then select the **Edit tags** option.\r\n4. Add, change, or remove desired tags. To apply a tag, it must already exist in the [tailnet policy file](https://tailscale.com/docs/reference/glossary#tailnet-policy-file).\r\n5. Select **Save** to apply tags.\r\n\r\n[Owners, Admins, and Network admins](https://tailscale.com/docs/reference/user-roles) can apply any tag from the admin console even if they don't own the tag.\r\n\r\nYou cannot remove all tags from a tagged device in the admin console because the device must have an identity. Either assign the device a new tag or re-authenticate to Tailscale from the device.\r\n\r\n#### [Apply a tag to a device with the CLI](https://tailscale.com/docs/features/tags\\#apply-a-tag-to-a-device-with-the-cli)\r\n\r\nYou can use the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli) to add and remove tags from devices running Linux, macOS, or Windows. To tag other devices, use the admin console.\r\n\r\nTo assign tags to a device using the CLI, run `tailscale login` command with the `--advertise-tags=tag:<tag-name>` flag.\r\n\r\n```shell\r\nsudo tailscale login --advertise-tags=tag:server\r\n```\r\n\r\nTo assign multiple tags to a device, pass multiple tags (separated with commas) to the `--advertise-tags` flag.\r\n\r\n```shell\r\nsudo tailscale login --advertise-tags=tag:server,tag:development\r\n```\r\n\r\nTo remove all tags from a device, use the `--advertise-tags=` flag without any values.\r\n\r\n```shell\r\nsudo tailscale login --advertise-tags=\r\n```\r\n\r\nYou cannot remove tags using the `--advertise-tags` flag if the device uses an auth key. Instead, generate a new auth key with the new set of tags.\r\n\r\nYou might need to change the signed-in user on the device if it's already authenticated with another user. To re-authenticate with the current user, add the `--force-reauth` flag to the `tailscale up` command:\r\n\r\n```shell\r\nsudo tailscale up --advertise-tags=tag:server --force-reauth\r\n```\r\n\r\n#### [Apply a tag to a device using the API](https://tailscale.com/docs/features/tags\\#apply-a-tag-to-a-device-using-the-api)\r\n\r\nYou can apply a tag to a device using the [Update device tags](https://tailscale.com/api#tag/devices/POST/device/%7BdeviceId%7D/tags) method from the [Tailscale API](https://tailscale.com/docs/reference/tailscale-api).\r\n\r\nTo apply a tag this way, send a `POST` request for a device, with the body specifying the desired `tags`. For example:\r\n\r\n```shell\r\ncurl https://api.tailscale.com/api/v2/device/11055/tags \\\r\n-u \"tskey-<key>\" \\\r\n-H \"Content-Type: application/json\" \\\r\n--data-binary '{\"tags\": [\"tag:foo\", \"tag:bar\"]}'\r\n```\r\n\r\n### [Apply a tag from another tag](https://tailscale.com/docs/features/tags\\#apply-a-tag-from-another-tag)\r\n\r\nYou can apply different tags from those in the [auth key](https://tailscale.com/docs/features/access-control/auth-keys) when you authenticate. However, doing so replaces the device's existing tags.\r\n\r\n**Important for OAuth authentication**: When an OAuth client or auth key assigns tags to a device, the requested tags must either exactly match the full set of tags on the OAuth client or auth key, or each requested tag must be owned by one of the authenticating entity's tags as defined in the `tagOwners` section. The exact-match check does not consult `tagOwners`—it merely verifies the requested tags are identical to the authenticating tags. For any other combination, including applying a subset of tags, ownership must be explicitly configured in `tagOwners`.\r\n\r\nApplying a tag from another tag is useful for larger infrastructure deployments, where you might need to tag many servers, typically using a deployment tool. For example, you could have your deployment system tagged with `tag:deployment-1`, which owns both `tag:prod-2` and `tag:test-2`:\r\n\r\n```json\r\n  \"TagOwners\": {\r\n    \"tag:deployment-1\": [\"alice@tailscale.com\"],\r\n    \"tag:prod-2\": [\"tag:deployment-1\"],\r\n    \"tag:test-2\": [\"tag:deployment-1\"],\r\n  },\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nIn this configuration, an OAuth client with `tag:deployment-1` can apply either `tag:prod-2` or `tag:test-2` to devices. An OAuth client whose only tag is `tag:prod-2` can also apply `tag:prod-2`, since the tags are an exact match. However, if an OAuth client holds multiple tags and needs to apply only a subset of them, each requested tag must be owned by one of the authenticating tags. To support this, add the tag as its own owner:\r\n\r\n```json\r\n  \"TagOwners\": {\r\n    \"tag:deployment-1\": [\"alice@tailscale.com\"],\r\n    \"tag:prod-2\": [\"tag:deployment-1\", \"tag:prod-2\"],\r\n    \"tag:test-2\": [\"tag:deployment-1\", \"tag:test-2\"],\r\n  },\r\n```\r\n\r\nYou can use the [visual policy editor](https://tailscale.com/docs/features/visual-editor) to manage your tailnet policy file. Refer to the [visual editor reference](https://tailscale.com/docs/reference/visual-editor) for guidance on using the visual editor.\r\n\r\nYou could generate an [auth key](https://tailscale.com/docs/features/access-control/auth-keys)`<key-1>` with the tag `tag:deployment-1`, and make it available to the deployment tool. Then, depending on what workload you deploy, the system authenticates the device and applies the correct infrastructure tag, which enforces the correct [access controls](https://tailscale.com/docs/features/access-control). When spinning up a new production server, the deployment tool could tag the device as `tag:prod-2`:\r\n\r\n```shell\r\nsudo tailscale up --auth-key=<key-1> --advertise-tags=tag:prod-2\r\n```\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Group devices with tags</h1>\n<p>Last validated: Dec 4, 2025</p>\n<p>Tagsare available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<p>All plans include 50 tagged devices. If you need more than 50 tagged devices, contact our <a href=\"https://tailscale.com/contact/sales\">Sales team</a>.</p>\n<p>Tailscale tags are how you authenticate and identify non-user devices, such as servers and <a href=\"https://tailscale.com/docs/features/ephemeral-nodes\">ephemeral nodes</a>. They serve two primary purposes: to provide an identity to non-user devices and to let you manage <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a> based on <em>purpose</em>. In this context, a purpose could be anything from hosting a web server to serving as a <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a> for employees in a specific geographic location.</p>\n<p>Tags are essentially service accounts, but with more flexibility⎯you can assign multiple tags to a device to account for multiple purposes. For example, you might have a device that runs a PostgreSQL database and serves as a web server for internal access. In such a scenario, you could assign the device the following tags (each of which you could target individually using access control policies): <code>tag:postgresql</code>, <code>tag:internal-access</code>, and <code>tag:web-server</code>.</p>\n<p>Other key characteristics of tags include:</p>\n<ul>\n<li>Applying a tag to a device removes any user-based authentication.</li>\n<li>Each non-user device can have as many tags as you need.</li>\n<li>Tags are defined in the tailnet policy file in the <code>tagOwners</code> section.</li>\n<li>Only designated tag owners can apply tags to devices; each tag can have as many owners as necessary.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/tags#requirements\">Requirements</a></h2>\n<p>Tags are a free feature and are available for all pricing plans. However, you must have permission to perform some tag-related operations:</p>\n<ul>\n<li>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> of a tailnet to define a tag in the tailnet policy file.</li>\n<li>You must be a tag owner to assign a tag to a device. <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> can apply any tag, even if they don't own the tag.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/tags#limitations\">Limitations</a></h2>\n<p>Tags have the following limitations and restrictions:</p>\n<ul>\n<li>You cannot remove all tags from a device. A device with a tag-based identity must have at least one tag.</li>\n<li>You cannot remove tags using the <code>--advertise-tags</code> flag if the device uses an auth key. Instead, generate a new auth key with the latest set of tags.</li>\n<li><a href=\"https://tailscale.com/docs/features/tailnet-policy-file/ip-sets\">IP sets</a> do not support tags.</li>\n<li>Devices with a tag-based identity can only SSH into other tagged devices; they cannot SSH into devices with a user-based identity.</li>\n<li>Some restrictions exist around using tags to define a group or as the SSH source.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/tags#use-cases\">Use cases</a></h2>\n<p>Tags are ideal for managing devices you don't want to link to a specific user (such as a server hosting a web application) because removing a user also removes all their devices. If you link a service-providing device to a user, you lose that device if you remove the user. Removing a user won't affect the device if you use tags to manage the device instead. Do not use tags to associate a user device with a user account. Tags are not designed to tie individual users to a device. They're intended to manage devices with service account roles. Using tags as a substitute for users poses a security risk because the user's devices will remain on your network even if you remove the user.</p>\n<p>Tags provide a way to allow multiple users to manage a device. When you manage devices with users, you must link each device to a single user, which isn't ideal for devices that host shared resources. However, when you manage devices with tags, you can assign one or more users as tag owners with tags. These users can manage all the devices with the tags they own.</p>\n<p><strong>Warnings about tags</strong></p>\n<p>Only use tags for non-human machines. Users can only access and use Tailscale through their designated user accounts. Using tags to annotate user devices is poor practice because a device cannot simultaneously have a user and a tag. Adding a tag to a device removes the associated user. Devices can have tags or a user account, not both.</p>\n<p>Use tags to:</p>\n<ul>\n<li>Manage devices you don't have tied to a specific user (such as a server hosting a web application).</li>\n<li>Manage devices you want to allow multiple users to manage.</li>\n</ul>\n<p>Do not use tags to:</p>\n<ul>\n<li>Annotate user devices.</li>\n<li>Link a user device with a user.</li>\n<li>Authenticate end-user devices, such as laptops or mobile devices.</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/features/tags#ownership\">Ownership</a></h2>\n<p>There's no \"tag\" section of the tailnet policy file. Instead, you define tags by their owners in the <code>tagOwners</code> section of the tailnet policy file. Only owners of a tag can apply that tag to devices in your Tailscale network (known as a tailnet). Tag owners can be users, groups, or even other tags, which means you can create complex tag <a href=\"https://tailscale.com/docs/features/tags#advanced-tag-hierarchies\">ownership hierarchies</a>.</p>\n<p>A tagged device's identity is the combination of all its tags (not the intersection). You can assign any number of tags to a device and manage the permissions for each tag separately. For example, if you have a device with the tags <code>tag:postgresql</code>, <code>tag:prod</code>, and <code>tag:ci-cd</code>, an access control policy for any one of these tags would apply to the device.</p>\n<p><a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> can apply any tag, even if they aren't tag owners.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tags#tag-vs-user-authentication\">Tag vs. user authentication</a></h2>\n<p>Tags are parallel to user authentication. They serve the same role as a user account, except they're intended for service-based devices, such as a web server or an app connector. As a result, it's impossible for a user account identity and a tag identity to exist on the same device. Applying a tag to a device previously authenticated with a user account removes the user account. Similarly, authenticating a device with a user account removes all tags from the device.</p>\n<p>Because tags are for non-user devices, they have qualities and limitations that make them unsuitable for authenticating end-user devices, such as a MacBook or a mobile device. For example, devices with a tag-based identity cannot use SSH to connect to a device with a user-based identity.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tags#key-expiry\">Key expiry</a></h2>\n<p>When you apply a tag to a device for the first time and authenticate it, the tagged device's key expiry is disabled by default.</p>\n<p>If you re-authenticate a device tagged before March 10, 2022, its expiry will be disabled by default.</p>\n<p>If you change the tags on the device from the admin console, <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>, or the <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Tailscale API</a>, the device's key expiry will not change unless you re-authenticate. After you re-authenticate, Tailscale disables the device's key expiry.</p>\n<p>You can enable or disable key expiry on a device from the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console or by using the Tailscale API.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tags#tags-in-the-tailscale-ecosystem\">Tags in the Tailscale ecosystem</a></h2>\n<p>Like many aspects of a tailnet, you can define and manage tags in the tailnet policy file. While limitations prevent you from using them to authenticate end-user devices, they work seamlessly with nearly every other Tailscale feature, including exit nodes, subnet routers, app connectors, access control lists, and grants.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#exit-nodes\">Exit nodes</a></h3>\n<p>Using a device as an <a href=\"https://tailscale.com/docs/features/exit-nodes\">exit node</a> means that other tailnet devices can choose to route all their internet traffic through that device. Routing all traffic through an exit node lets you encrypt internet traffic and access internal networks. For example, you could run a device as an exit node in a corporate office. That way, employees can access the corporate office's internal network when they use that exit node. Although end-user devices can function as exit nodes, it's more common for exit nodes to use a tag-based identity.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#subnet-routers\">Subnet routers</a></h3>\n<p>A <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet router</a> is a tailnet device you use to advertise subnet routes to the rest of your tailnet. They're a great way to add entire subnets to your tailnet without installing the Tailscale client to any of the devices (except the subnet router). Although end-user devices can function as subnet routers, it's more common for subnet routers to use a tag-based identity.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#app-connectors\">App connectors</a></h3>\n<p>An <a href=\"https://tailscale.com/docs/features/app-connectors\">app connector</a> is a device that routes app-specific traffic in your tailnet. A device running as an app connector is strictly a service-based device. As a result, you must use a tag-based identity to authenticate a device you plan to use as an app connector.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#access-controls\">Access controls</a></h3>\n<p>You can use tags to select and target service-based devices in your tailnet to create access control policies using ACLs and grants. Because Tailscale can identify tagged devices by any one of their assigned tags, the access control policies that apply to a device with many tags could become complex. As a result, it's best practice to maintain clear documentation of how you leverage and manage tags in your tailnet.</p>\n<h4><a href=\"https://tailscale.com/docs/features/tags#acls\">ACLs</a></h4>\n<p>You can use tags as part of <a href=\"https://tailscale.com/docs/features/access-control/acls\">access control lists (ACLs)</a> to make it easier to manage which types of devices should be able to communicate. For example, you might use a tag named <code>tag:prod</code> for production servers and production databases, then allow all devices with the <code>tag:prod</code> tag to communicate with each other.</p>\n<p>The following example <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a> lets all devices tagged <code>tag:prod</code> communicate with each other.</p>\n<pre><code class=\"language-json\">{\r\n  \"acls\": [\\\r\n    {\\\r\n      \"action\": \"accept\",\\\r\n      \"src\": [\"tag:prod\"],\\\r\n      \"dst\": [\"tag:prod:*\"],\\\r\n    },\\\r\n  ],\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>You can also ensure that the ACLs for your tagged devices work as expected with <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">tests</a>, which verify your tailnet policy file before saving and applying it.</p>\n<p>For example, to verify that your tailnet policy file lets users in the <code>tag:sre</code> group to access devices tagged <code>tag:prod</code>, you might write an ACL like the following example:</p>\n<pre><code class=\"language-json\">\"tests\": [\\\r\n  {\\\r\n    \"src\": \"group:sre\",\\\r\n    \"accept\": [\"tag:prod:1234\"],\\\r\n  },\\\r\n],\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h4><a href=\"https://tailscale.com/docs/features/tags#grants\">Grants</a></h4>\n<p>Like ACLs, you can use tags in grants to target a group of tagged devices. The following example grants devices with the <code>tag:prod</code> tag access to devices with the <code>tag:tailsql</code> tag.</p>\n<pre><code class=\"language-json\">{\r\n  \"grants\": [\\\r\n    {\\\r\n      \"src\": [\"tag:prod\"],\\\r\n      \"dst\": [\"tag:tailsql\"],\\\r\n      \"ip\": [\"*\"]\\\r\n    }\\\r\n  ]\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#autogroups\">Autogroups</a></h3>\n<p><a href=\"https://tailscale.com/docs/reference/targets-and-selectors\">Autogroups</a> are pre-defined groups of devices in your tailnet that would be difficult to create as custom groups. One of these autogroups is <code>autogroup:tagged</code>, which selects all devices with a tag-based identity.</p>\n<p>You cannot use <code>autogroup:tagged</code> to define an IP set or a custom group.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tags#advanced-tag-hierarchies\">Advanced tag hierarchies</a></h2>\n<p>Designating tag owners is flexible by design. You can assign as many tag owners as you need to a device, and these tag owners can be users, groups, or other tags. Because you can assign a tag as an owner of another tag, it's possible to create complex hierarchies of tag ownership. As a result, it's best practice to maintain clear documentation of how you use tags and to audit tags using tools such as <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tests\">access control policy tests</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/tags#best-practices\">Best practices</a></h2>\n<p>To leverage tags effectively, consider the following best practices:</p>\n<ul>\n<li><strong>Define clear naming conventions for tags</strong>. Ideally, tag names should follow a consistent and descriptive pattern throughout your tailnet. Defining and enforcing a naming convention early on reduces the likelihood of problems such as ambiguous tag names later on. For example, a tag named \"foo-bar\" doesn't tell you anything about what the tag is intended for, but a tag name \"prod-postgresql-server\" tells you that the tag is for PostgreSQL servers in a production environment. However, even with descriptive names, it's a good idea to document your organization's tag conventions.</li>\n<li><strong>Use auth keys</strong>. By using <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth keys</a> with pre-assigned tags, you can streamline the process of authenticating and approving tagged devices.</li>\n<li><strong>Don't use tags to authenticate user-owned devices</strong>. Tags are intended to authenticate servers and devices that provide a service, which means they have qualities that make them unsuitable for end-user devices, such as a MacBook or an Android phone. Additionally, a device cannot simultaneously use tag-based and user-based identities. Adding a tag to a previously user-authenticated device removes the user's identity.</li>\n<li><strong>Carefully consider each tag's owners</strong>. Tags are defined by their owners in the <code>tagOwners</code> section of the tailnet policy file. Because of their flexibility and the ability for a tag to own another tag, tags can take on <a href=\"https://tailscale.com/docs/features/tags#advanced-tag-hierarchies\">complex ownership hierarchies</a>.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/features/tags#common-patterns-for-tag-names\">Common patterns for tag names</a></h3>\n<p>Tags let you reflect access patterns and network segments based on your organization's requirements. These access patterns and network segments usually fall into a few common categories. Use consistent patterns for tag names based on these categories to make your access control policies easier to understand and maintain over time. Some common categories of access to consider in your tag names are:</p>\n<ul>\n<li><strong>Server role</strong>: for example, application server, database, or queue.</li>\n<li><strong>Application name</strong>: for example, support console, finance reporting, or operations dashboard.</li>\n<li><strong>Environment</strong>: for example, production, staging, or development</li>\n<li><strong>Location</strong>: for example, Americas, EMEA, South Asia.</li>\n</ul>\n<p>While a device can have many tags assigned to it, tags are not \"joined\" for access rules. For example, you cannot define a rule that permits access to devices with both <code>tag:prod</code> and <code>tag:database</code>. Instead, you can use a composite tag such as <code>tag:prod-database</code> to represent this type of segmented access pattern. Below are some examples of composite tags.</p>\n<p>| <strong>Tag</strong> | <strong>Access control</strong> |\r\n| --- | --- |\r\n| <code>tag:prod-app</code> | To production application servers |\r\n| <code>tag:nonprod-db</code> | To non-production database servers |\r\n| <code>tag:prod-app-finance-reporting</code> | To the production finance reporting application |\r\n| <code>tag:prod-emea-app-support-console</code> | To the production support console application in EMEA |\r\n| <code>tag:prod-asiasouth-ingest-logging</code> | To the production logging ingest endpoint in South Asia. |</p>\n<h2><a href=\"https://tailscale.com/docs/features/tags#working-with-tags\">Working with tags</a></h2>\n<p>Use the following sections to find more information about working with tags:</p>\n<ul>\n<li><a href=\"https://tailscale.com/docs/features/tags#define-a-tag\">Define a tag</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/tags#define-tag-owners\">Define tag owners</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-to-a-device\">Apply tags to a device</a>.</li>\n<li><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-from-another-tag\">Apply a tag from another tag</a>.</li>\n</ul>\n<h3><a href=\"https://tailscale.com/docs/features/tags#define-a-tag\">Define a tag</a></h3>\n<p>Before assigning a tag to a device, you must create the tag in the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy file</a> and define who can use that tag to authenticate devices. You create a tag by defining it in the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\"><code>tagOwners</code></a> section of the tailnet policy file.</p>\n<p>The following example creates the tag <code>tag:server</code> and assigns <code>dave@example.com</code> as the sole owner. Only the tag owner can apply the tag.</p>\n<pre><code class=\"language-json\">{\r\n  \"tagOwners\": {\r\n    \"tag:server\": [\"dave@example.com\"], // dave@example.com can authenticate devices with the tag:server tag\r\n  }\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>Tailscale ignores tag name case and parses all tags in the tailnet policy file as lowercase.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#define-tag-owners\">Define tag owners</a></h3>\n<p>You must explicitly define who can use a tag to grant its permissions on a device. You can define tag owners in the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#tag-owners\"><code>tagOwners</code></a> section of the tailnet policy file.</p>\n<p>A tag can also have an empty list of owners in the tailnet policy file. All tags are implicitly owned by <a href=\"https://tailscale.com/docs/reference/user-roles\">Owners, Admins, and Network admins</a> of a tailnet. You can apply these tags to devices from the admin console and as part of an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a>.</p>\n<p>The following example shows the <code>tag:infrastructure</code> with no tag owners.</p>\n<pre><code class=\"language-json\">{\r\n  \"tagOwners\": {\r\n    \"tag:server\": [\"dave@tailscale.com\"],\r\n    \"tag:infrastructure\": [], // No tag owners defined\r\n  }\r\n}\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<h3><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-to-a-device\">Apply a tag to a device</a></h3>\n<p>You can tag devices using the admin console, the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>, or the Tailscale API.</p>\n<p>When you re-authenticate and tag a device, it generates a new <a href=\"https://tailscale.com/docs/concepts/node-keys\">node key</a> for the device. The <a href=\"https://tailscale.com/docs/concepts/tailscale-ip-addresses\">Tailscale IP address</a> for the device does not change.</p>\n<h4><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-to-a-device-in-the-admin-console\">Apply a tag to a device in the admin console</a></h4>\n<p>You must be an <a href=\"https://tailscale.com/docs/reference/user-roles\">Owner, Admin, or Network admin</a> of a tailnet to tag a device from the <a href=\"https://login.tailscale.com/admin\">admin console</a>. You don't need to re-authenticate because the current user is automatically used to authenticate the device.</p>\n<p>To tag a device from the admin console:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page in the admin console.</li>\n<li>Find the row corresponding to the device you are interested in.</li>\n<li>Select on the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu at the far right, then select the <strong>Edit tags</strong> option.</li>\n<li>Add, change, or remove desired tags. To apply a tag, it must already exist in the <a href=\"https://tailscale.com/docs/reference/glossary#tailnet-policy-file\">tailnet policy file</a>.</li>\n<li>Select <strong>Save</strong> to apply tags.</li>\n</ol>\n<p><a href=\"https://tailscale.com/docs/reference/user-roles\">Owners, Admins, and Network admins</a> can apply any tag from the admin console even if they don't own the tag.</p>\n<p>You cannot remove all tags from a tagged device in the admin console because the device must have an identity. Either assign the device a new tag or re-authenticate to Tailscale from the device.</p>\n<h4><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-to-a-device-with-the-cli\">Apply a tag to a device with the CLI</a></h4>\n<p>You can use the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a> to add and remove tags from devices running Linux, macOS, or Windows. To tag other devices, use the admin console.</p>\n<p>To assign tags to a device using the CLI, run <code>tailscale login</code> command with the <code>--advertise-tags=tag:&#x3C;tag-name></code> flag.</p>\n<pre><code class=\"language-shell\">sudo tailscale login --advertise-tags=tag:server\n</code></pre>\n<p>To assign multiple tags to a device, pass multiple tags (separated with commas) to the <code>--advertise-tags</code> flag.</p>\n<pre><code class=\"language-shell\">sudo tailscale login --advertise-tags=tag:server,tag:development\n</code></pre>\n<p>To remove all tags from a device, use the <code>--advertise-tags=</code> flag without any values.</p>\n<pre><code class=\"language-shell\">sudo tailscale login --advertise-tags=\n</code></pre>\n<p>You cannot remove tags using the <code>--advertise-tags</code> flag if the device uses an auth key. Instead, generate a new auth key with the new set of tags.</p>\n<p>You might need to change the signed-in user on the device if it's already authenticated with another user. To re-authenticate with the current user, add the <code>--force-reauth</code> flag to the <code>tailscale up</code> command:</p>\n<pre><code class=\"language-shell\">sudo tailscale up --advertise-tags=tag:server --force-reauth\n</code></pre>\n<h4><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-to-a-device-using-the-api\">Apply a tag to a device using the API</a></h4>\n<p>You can apply a tag to a device using the <a href=\"https://tailscale.com/api#tag/devices/POST/device/%7BdeviceId%7D/tags\">Update device tags</a> method from the <a href=\"https://tailscale.com/docs/reference/tailscale-api\">Tailscale API</a>.</p>\n<p>To apply a tag this way, send a <code>POST</code> request for a device, with the body specifying the desired <code>tags</code>. For example:</p>\n<pre><code class=\"language-shell\">curl https://api.tailscale.com/api/v2/device/11055/tags \\\r\n-u \"tskey-&#x3C;key>\" \\\r\n-H \"Content-Type: application/json\" \\\r\n--data-binary '{\"tags\": [\"tag:foo\", \"tag:bar\"]}'\n</code></pre>\n<h3><a href=\"https://tailscale.com/docs/features/tags#apply-a-tag-from-another-tag\">Apply a tag from another tag</a></h3>\n<p>You can apply different tags from those in the <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a> when you authenticate. However, doing so replaces the device's existing tags.</p>\n<p><strong>Important for OAuth authentication</strong>: When an OAuth client or auth key assigns tags to a device, the requested tags must either exactly match the full set of tags on the OAuth client or auth key, or each requested tag must be owned by one of the authenticating entity's tags as defined in the <code>tagOwners</code> section. The exact-match check does not consult <code>tagOwners</code>—it merely verifies the requested tags are identical to the authenticating tags. For any other combination, including applying a subset of tags, ownership must be explicitly configured in <code>tagOwners</code>.</p>\n<p>Applying a tag from another tag is useful for larger infrastructure deployments, where you might need to tag many servers, typically using a deployment tool. For example, you could have your deployment system tagged with <code>tag:deployment-1</code>, which owns both <code>tag:prod-2</code> and <code>tag:test-2</code>:</p>\n<pre><code class=\"language-json\">  \"TagOwners\": {\r\n    \"tag:deployment-1\": [\"alice@tailscale.com\"],\r\n    \"tag:prod-2\": [\"tag:deployment-1\"],\r\n    \"tag:test-2\": [\"tag:deployment-1\"],\r\n  },\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>In this configuration, an OAuth client with <code>tag:deployment-1</code> can apply either <code>tag:prod-2</code> or <code>tag:test-2</code> to devices. An OAuth client whose only tag is <code>tag:prod-2</code> can also apply <code>tag:prod-2</code>, since the tags are an exact match. However, if an OAuth client holds multiple tags and needs to apply only a subset of them, each requested tag must be owned by one of the authenticating tags. To support this, add the tag as its own owner:</p>\n<pre><code class=\"language-json\">  \"TagOwners\": {\r\n    \"tag:deployment-1\": [\"alice@tailscale.com\"],\r\n    \"tag:prod-2\": [\"tag:deployment-1\", \"tag:prod-2\"],\r\n    \"tag:test-2\": [\"tag:deployment-1\", \"tag:test-2\"],\r\n  },\n</code></pre>\n<p>You can use the <a href=\"https://tailscale.com/docs/features/visual-editor\">visual policy editor</a> to manage your tailnet policy file. Refer to the <a href=\"https://tailscale.com/docs/reference/visual-editor\">visual editor reference</a> for guidance on using the visual editor.</p>\n<p>You could generate an <a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">auth key</a><code>&#x3C;key-1></code> with the tag <code>tag:deployment-1</code>, and make it available to the deployment tool. Then, depending on what workload you deploy, the system authenticates the device and applies the correct infrastructure tag, which enforces the correct <a href=\"https://tailscale.com/docs/features/access-control\">access controls</a>. When spinning up a new production server, the deployment tool could tag the device as <code>tag:prod-2</code>:</p>\n<pre><code class=\"language-shell\">sudo tailscale up --auth-key=&#x3C;key-1> --advertise-tags=tag:prod-2\n</code></pre>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}