{"slug":"key-and-secret-management","title":"Key and secret management","tags":["tailscale"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Key and secret management\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nYou can set up various types of keys and secrets for securely connecting to resources in your Tailscale network (known as a tailnet). This topic explains the fundamentals of managing each kind of key and secret that we provide.\r\n\r\nFor more in-depth information on tailnet security, refer to [Best practices to secure your tailnet](https://tailscale.com/docs/reference/best-practices/security).\r\n\r\n## [Keys and secrets best practices](https://tailscale.com/docs/reference/key-secret-management\\#keys-and-secrets-best-practices)\r\n\r\nEnsure you keep your keys and secrets secure. Make sure to copy your keys and secrets into a password manager as soon as they are generated and displayed. The secrets will only be displayed once in their entirety. If you don't copy it down, you will need to generate a new key or secret.\r\n\r\nMake sure you are aware of the key expiry for each key type, and manage them accordingly. [System for Cross-domain Identity Management (SCIM)](https://tailscale.com/learn/what-is-scim) API keys and webhook endpoint secrets do not expire.\r\n\r\nWe strongly recommend that you use a secrets manager or consult with your cloud provider for directions for securely storing your keys and secrets. **Do not store sensitive information such as an OAuth client or API access token in source control.**\r\n\r\n## [Key prefixes](https://tailscale.com/docs/reference/key-secret-management\\#key-prefixes)\r\n\r\nEach type of Tailscale-generated key contains a [key prefix](https://tailscale.com/docs/reference/key-prefixes) to help you distinguish the prefix type, such as `tskey-api` for API access tokens (sometimes called API keys) and `tskey-auth` for auth keys.\r\n\r\n## [Key and secret types](https://tailscale.com/docs/reference/key-secret-management\\#key-and-secret-types)\r\n\r\nAll Tailscale-generated keys and secrets are case-sensitive.\r\n\r\n### [API access tokens](https://tailscale.com/docs/reference/key-secret-management\\#api-access-tokens)\r\n\r\n[API access tokens](https://tailscale.com/docs/reference/tailscale-api) let you grant access to applications in your tailnet using the Tailscale API. You can generate and revoke your API access tokens (keys) in the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n\r\nTo create an API access token, open the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console, go to the **API access tokens** section, then select **Generate access token**.\r\n\r\nTo revoke an API access token, open the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console, go to the **API access tokens** section, then select **Revoke** next to the token that you want to delete.\r\n\r\n### [Auth keys](https://tailscale.com/docs/reference/key-secret-management\\#auth-keys)\r\n\r\n[Auth keys](https://tailscale.com/docs/features/access-control/auth-keys) let you authenticate a tagged device in your tailnet as an alternative to an interactive [single sign-on (SSO)](https://tailscale.com/docs/integrations/identity) session. You can generate and revoke auth keys in the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n\r\nTo create an auth key, refer to [Generating a key](https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key).\r\n\r\nTo revoke an auth key, refer to [Revoking a key](https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key).\r\n\r\n### [OAuth clients](https://tailscale.com/docs/reference/key-secret-management\\#oauth-clients)\r\n\r\n[OAuth clients](https://tailscale.com/docs/features/oauth-clients) let you delegate and scope access for your Tailscale APIs. You can generate and revoke OAuth clients in the [Trust credentials](https://login.tailscale.com/admin/settings/trust-credentials) page of the admin console.\r\n\r\nTo create an OAuth key, refer to [Setting up an OAuth client](https://tailscale.com/docs/features/oauth-clients#setting-up-an-oauth-client).\r\n\r\nTo revoke an OAuth key, refer to [Revoke a trust credential](https://tailscale.com/docs/reference/trust-credentials#revoke-a-trust-credential).\r\n\r\n### [SCIM API keys](https://tailscale.com/docs/reference/key-secret-management\\#scim-api-keys)\r\n\r\nA SCIM API key lets you authenticate an identity provider, such as [Microsoft Entra ID](https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#enable-provisioning) and [Okta](https://tailscale.com/docs/integrations/identity/okta/okta-scim#enable-provisioning), and your tailnet for [user & group provisioning](https://tailscale.com/docs/features/user-group-provisioning). A single SCIM API key is used for an entire tailnet and is administered in the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console. User & group provisioning must be enabled to generate the SCIM API key. If you do not have user & group provisioning enabled in your tailnet, the **User & Group Provisioning** section will not display in the admin console.\r\n\r\nTo create a SCIM API key, open the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console and select **Enable Provisioning**. Copy the generated key to the clipboard, then add the key in your Microsoft Entra ID or Okta provisioning settings.\r\n\r\nA SCIM API key should be revoked or regenerated when it is lost, the Microsoft Entra ID or Okta environment is compromised, or you've stopped using Microsoft Entra ID or Okta.\r\n\r\nTo revoke a SCIM API key, open the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console, and select **Manage keys**. In the **Provisioning keys** dialog, select **Revoke**.\r\n\r\nTo generate a new SCIM API key, open the [User management](https://login.tailscale.com/admin/settings/user-management) page of the admin console, and select **Manage keys**. In the **Provisioning keys** dialog, select **Generate new key**.\r\n\r\n### [Webhook secrets](https://tailscale.com/docs/reference/key-secret-management\\#webhook-secrets)\r\n\r\n[Webhooks](https://tailscale.com/docs/features/webhooks) let you subscribe to tailnet [events](https://tailscale.com/docs/features/webhooks#events) that can automatically be sent to services such as Slack, Discord, and Mattermost. A webhook secret ensures webhook requests are coming from authorized users in the tailnet. You can generate, rotate, or delete webhook secrets for your endpoints in the [Webhooks](https://login.tailscale.com/admin/settings/webhooks) page of the admin console.\r\n\r\nTo create a webhook endpoint and secret, refer to [Setting up a webhook endpoint](https://tailscale.com/docs/features/webhooks#webhook-secret).\r\n\r\nTo delete a webhook endpoint, refer to [Deleting an endpoint](https://tailscale.com/docs/features/webhooks#deleting-an-endpoint). When an endpoint is deleted, the secret is also deleted.\r\n\r\nTo generate a new secret for an existing webhook, refer to [Rotating a webhook secret](https://tailscale.com/docs/features/webhooks#rotating-a-webhook-secret).\r\n\r\n## [Using logs and events](https://tailscale.com/docs/reference/key-secret-management\\#using-logs-and-events)\r\n\r\nYou can monitor your key and secret activity in the [Logs](https://login.tailscale.com/admin/logs) page of the admin consoles. For example, the \"Create API key\" event is generated when a new API access token or auth key is generated. You can also use [webhooks](https://tailscale.com/docs/features/webhooks) for automatic notifications when a key status changes.\r\n\r\nFor more about logged events in general, refer to [Configuration audit logging](https://tailscale.com/docs/features/logging/audit-logging).\r\n\r\nFor more about the types of events related to keys that are logged, refer to [Audit logging events](https://tailscale.com/docs/features/logging/audit-logging#events).\r\n\r\nFor more about the types of available webhook events for key activity notifications, refer to [Webhook events](https://tailscale.com/docs/features/webhooks#events).\r\n\r\n## [Key expiry](https://tailscale.com/docs/reference/key-secret-management\\#key-expiry)\r\n\r\nAPI access tokens, auth keys, and OAuth keys are generated with an expiry that you can adjust at the time they are generated. SCIM API keys and webhook endpoint secrets do not expire. As key expiry can vary across your different keys and types, make sure you are aware of the expiry day and provision accordingly for each key. For more information, refer to [Key expiry](https://tailscale.com/docs/features/access-control/key-expiry).\r\n\r\n## [Secret scanning](https://tailscale.com/docs/reference/key-secret-management\\#secret-scanning)\r\n\r\nTo help mitigate accidental disclosure and prevent fraudulent use, Tailscale partners with several companies to provide secret scanning of source code repositories and other data sources to find leaked Tailscale keys. For more information, refer to [Secret scanning](https://tailscale.com/docs/integrations/secret-scanning).\r\n\r\n## [Offboarding users](https://tailscale.com/docs/reference/key-secret-management\\#offboarding-users)\r\n\r\nWhile key and secret management are an important aspect of security, there are other things that you should take into account when removing users and devices from your tailnet. For more information, refer to [Offboarding users](https://tailscale.com/docs/features/sharing/how-to/offboard).\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Key and secret management</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>You can set up various types of keys and secrets for securely connecting to resources in your Tailscale network (known as a tailnet). This topic explains the fundamentals of managing each kind of key and secret that we provide.</p>\n<p>For more in-depth information on tailnet security, refer to <a href=\"https://tailscale.com/docs/reference/best-practices/security\">Best practices to secure your tailnet</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#keys-and-secrets-best-practices\">Keys and secrets best practices</a></h2>\n<p>Ensure you keep your keys and secrets secure. Make sure to copy your keys and secrets into a password manager as soon as they are generated and displayed. The secrets will only be displayed once in their entirety. If you don't copy it down, you will need to generate a new key or secret.</p>\n<p>Make sure you are aware of the key expiry for each key type, and manage them accordingly. <a href=\"https://tailscale.com/learn/what-is-scim\">System for Cross-domain Identity Management (SCIM)</a> API keys and webhook endpoint secrets do not expire.</p>\n<p>We strongly recommend that you use a secrets manager or consult with your cloud provider for directions for securely storing your keys and secrets. <strong>Do not store sensitive information such as an OAuth client or API access token in source control.</strong></p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#key-prefixes\">Key prefixes</a></h2>\n<p>Each type of Tailscale-generated key contains a <a href=\"https://tailscale.com/docs/reference/key-prefixes\">key prefix</a> to help you distinguish the prefix type, such as <code>tskey-api</code> for API access tokens (sometimes called API keys) and <code>tskey-auth</code> for auth keys.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#key-and-secret-types\">Key and secret types</a></h2>\n<p>All Tailscale-generated keys and secrets are case-sensitive.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/key-secret-management#api-access-tokens\">API access tokens</a></h3>\n<p><a href=\"https://tailscale.com/docs/reference/tailscale-api\">API access tokens</a> let you grant access to applications in your tailnet using the Tailscale API. You can generate and revoke your API access tokens (keys) in the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</p>\n<p>To create an API access token, open the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console, go to the <strong>API access tokens</strong> section, then select <strong>Generate access token</strong>.</p>\n<p>To revoke an API access token, open the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console, go to the <strong>API access tokens</strong> section, then select <strong>Revoke</strong> next to the token that you want to delete.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/key-secret-management#auth-keys\">Auth keys</a></h3>\n<p><a href=\"https://tailscale.com/docs/features/access-control/auth-keys\">Auth keys</a> let you authenticate a tagged device in your tailnet as an alternative to an interactive <a href=\"https://tailscale.com/docs/integrations/identity\">single sign-on (SSO)</a> session. You can generate and revoke auth keys in the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</p>\n<p>To create an auth key, refer to <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#generate-an-auth-key\">Generating a key</a>.</p>\n<p>To revoke an auth key, refer to <a href=\"https://tailscale.com/docs/features/access-control/auth-keys#revoke-an-auth-key\">Revoking a key</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/key-secret-management#oauth-clients\">OAuth clients</a></h3>\n<p><a href=\"https://tailscale.com/docs/features/oauth-clients\">OAuth clients</a> let you delegate and scope access for your Tailscale APIs. You can generate and revoke OAuth clients in the <a href=\"https://login.tailscale.com/admin/settings/trust-credentials\">Trust credentials</a> page of the admin console.</p>\n<p>To create an OAuth key, refer to <a href=\"https://tailscale.com/docs/features/oauth-clients#setting-up-an-oauth-client\">Setting up an OAuth client</a>.</p>\n<p>To revoke an OAuth key, refer to <a href=\"https://tailscale.com/docs/reference/trust-credentials#revoke-a-trust-credential\">Revoke a trust credential</a>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/key-secret-management#scim-api-keys\">SCIM API keys</a></h3>\n<p>A SCIM API key lets you authenticate an identity provider, such as <a href=\"https://tailscale.com/docs/integrations/identity/entra/entra-id-scim#enable-provisioning\">Microsoft Entra ID</a> and <a href=\"https://tailscale.com/docs/integrations/identity/okta/okta-scim#enable-provisioning\">Okta</a>, and your tailnet for <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user &#x26; group provisioning</a>. A single SCIM API key is used for an entire tailnet and is administered in the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console. User &#x26; group provisioning must be enabled to generate the SCIM API key. If you do not have user &#x26; group provisioning enabled in your tailnet, the <strong>User &#x26; Group Provisioning</strong> section will not display in the admin console.</p>\n<p>To create a SCIM API key, open the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console and select <strong>Enable Provisioning</strong>. Copy the generated key to the clipboard, then add the key in your Microsoft Entra ID or Okta provisioning settings.</p>\n<p>A SCIM API key should be revoked or regenerated when it is lost, the Microsoft Entra ID or Okta environment is compromised, or you've stopped using Microsoft Entra ID or Okta.</p>\n<p>To revoke a SCIM API key, open the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console, and select <strong>Manage keys</strong>. In the <strong>Provisioning keys</strong> dialog, select <strong>Revoke</strong>.</p>\n<p>To generate a new SCIM API key, open the <a href=\"https://login.tailscale.com/admin/settings/user-management\">User management</a> page of the admin console, and select <strong>Manage keys</strong>. In the <strong>Provisioning keys</strong> dialog, select <strong>Generate new key</strong>.</p>\n<h3><a href=\"https://tailscale.com/docs/reference/key-secret-management#webhook-secrets\">Webhook secrets</a></h3>\n<p><a href=\"https://tailscale.com/docs/features/webhooks\">Webhooks</a> let you subscribe to tailnet <a href=\"https://tailscale.com/docs/features/webhooks#events\">events</a> that can automatically be sent to services such as Slack, Discord, and Mattermost. A webhook secret ensures webhook requests are coming from authorized users in the tailnet. You can generate, rotate, or delete webhook secrets for your endpoints in the <a href=\"https://login.tailscale.com/admin/settings/webhooks\">Webhooks</a> page of the admin console.</p>\n<p>To create a webhook endpoint and secret, refer to <a href=\"https://tailscale.com/docs/features/webhooks#webhook-secret\">Setting up a webhook endpoint</a>.</p>\n<p>To delete a webhook endpoint, refer to <a href=\"https://tailscale.com/docs/features/webhooks#deleting-an-endpoint\">Deleting an endpoint</a>. When an endpoint is deleted, the secret is also deleted.</p>\n<p>To generate a new secret for an existing webhook, refer to <a href=\"https://tailscale.com/docs/features/webhooks#rotating-a-webhook-secret\">Rotating a webhook secret</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#using-logs-and-events\">Using logs and events</a></h2>\n<p>You can monitor your key and secret activity in the <a href=\"https://login.tailscale.com/admin/logs\">Logs</a> page of the admin consoles. For example, the \"Create API key\" event is generated when a new API access token or auth key is generated. You can also use <a href=\"https://tailscale.com/docs/features/webhooks\">webhooks</a> for automatic notifications when a key status changes.</p>\n<p>For more about logged events in general, refer to <a href=\"https://tailscale.com/docs/features/logging/audit-logging\">Configuration audit logging</a>.</p>\n<p>For more about the types of events related to keys that are logged, refer to <a href=\"https://tailscale.com/docs/features/logging/audit-logging#events\">Audit logging events</a>.</p>\n<p>For more about the types of available webhook events for key activity notifications, refer to <a href=\"https://tailscale.com/docs/features/webhooks#events\">Webhook events</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#key-expiry\">Key expiry</a></h2>\n<p>API access tokens, auth keys, and OAuth keys are generated with an expiry that you can adjust at the time they are generated. SCIM API keys and webhook endpoint secrets do not expire. As key expiry can vary across your different keys and types, make sure you are aware of the expiry day and provision accordingly for each key. For more information, refer to <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">Key expiry</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#secret-scanning\">Secret scanning</a></h2>\n<p>To help mitigate accidental disclosure and prevent fraudulent use, Tailscale partners with several companies to provide secret scanning of source code repositories and other data sources to find leaked Tailscale keys. For more information, refer to <a href=\"https://tailscale.com/docs/integrations/secret-scanning\">Secret scanning</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/reference/key-secret-management#offboarding-users\">Offboarding users</a></h2>\n<p>While key and secret management are an important aspect of security, there are other things that you should take into account when removing users and devices from your tailnet. For more information, refer to <a href=\"https://tailscale.com/docs/features/sharing/how-to/offboard\">Offboarding users</a>.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}