{"slug":"key-expiry","title":"Key expiry","tags":["tailscale","access-control"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# Key expiry\r\n\r\nLast validated: Jan 5, 2026\r\n\r\nAs a security feature, users need to periodically reauthenticate on\r\neach of their devices. The default expiration period depends on your\r\ndomain setting. By default, new domains are set with an expiry period\r\nof 180 days.\r\n\r\nIf reauthentication does not occur, keys expire and connections to/from the\r\ngiven endpoint will stop working.\r\n\r\n## [Disabling key expiry](https://tailscale.com/docs/features/access-control/key-expiry\\#disabling-key-expiry)\r\n\r\nDisabling key expiryis available for [all plans](https://tailscale.com/pricing).\r\n\r\nYou may want to disable key expiry on some devices, such as trusted servers, [subnet routers](https://tailscale.com/docs/features/subnet-routers), or remote IoT devices that are hard to reach.\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\n2. Find the row corresponding to the device you are interested in.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu at the far right and select the **Disable Key Expiry** option:![Menu in the admin console with the 'Disable Key Expiry' option indicated with a red outline.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdisable-key-expiry.4683b4d2.png&w=1200&q=75)\r\n4. Done. The keys for that device will no longer expire.\r\n\r\n## [Enabling key expiry](https://tailscale.com/docs/features/access-control/key-expiry\\#enabling-key-expiry)\r\n\r\nEnabling key expiryis available for [all plans](https://tailscale.com/pricing).\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\n2. Find the row corresponding to the device you are interested in.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu at the far right and select the **Enable Key Expiry** option:\r\n4. Done. The keys for that device are now set with an expiration.\r\n\r\n## [Renewing keys for an expired device](https://tailscale.com/docs/features/access-control/key-expiry\\#renewing-keys-for-an-expired-device)\r\n\r\nIf keys expire for a device, connections to/from the given endpoint will stop working. For devices that\r\nhave the [Tailscale CLI](https://tailscale.com/docs/reference/tailscale-cli), running [`tailscale up --force-reauth`](https://tailscale.com/docs/reference/tailscale-cli/up) (using `sudo` if needed)\r\nwill renew the keys.\r\n\r\nBe aware that `tailscale up --force-reauth` might bring down the tailnet connection and thus should not be done remotely over SSH or RDP without an alternate means to log in if the connection is lost.\r\n\r\nHowever, for remote devices that you've [restricted to Tailscale-only traffic](https://tailscale.com/docs/how-to/secure-ubuntu-server-with-ufw), signing in again without Tailscale access can be difficult or impossible. In these cases, we allow admins of a network to temporarily extend a key's lifetime to help the device owner regain access and reauthenticate.\r\n\r\nTo regain access to an expired device:\r\n\r\n1. Open the [Machines](https://login.tailscale.com/admin/machines) page of the admin console.\r\n2. Find the row corresponding to the device you are interested in.\r\n3. Select the ![ellipsis icon](https://tailscale.com/files/images/icons/fa-ellipsis-h.svg) menu at the far right and select the **Temporarily extend key** option. This option only appears for devices with expired keys:![Menu in the admin console with the 'Temporarily Extend Key' option indicated with a red outline.](https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fextend-key-expiry.1426d027.png&w=1200&q=75)\r\n4. The key will be extended for 30 minutes. Instruct the owner of the machine to log in and reauthenticate within the extended timeframe, or disable key expiry for this device within that window.\r\n5. Once the machine has been reauthenticated, the key should be renewed for your standard expiry time (6 months by default).\r\n\r\nIf you're renewing keys for a machine that belongs to you, and it has already signed a new authentication URL, we provide a one-select **Reauthenticate** option in place of **Temporarily extend key**. However, extending the key is the far more common way to regain access.\r\n\r\n## [Using key expiry with tagged devices](https://tailscale.com/docs/features/access-control/key-expiry\\#using-key-expiry-with-tagged-devices)\r\n\r\nWhen you apply a tag to a device for the first time and authenticate it, the tagged device will have [key expiry](https://tailscale.com/docs/features/access-control/key-expiry) disabled by default. For more information, refer to [Key expiry for tagged devices](https://tailscale.com/docs/features/tags#key-expiry).\r\n\r\n## [Setting a custom authentication period](https://tailscale.com/docs/features/access-control/key-expiry\\#setting-a-custom-authentication-period)\r\n\r\nSetting a custom authentication periodis available for [all plans](https://tailscale.com/pricing).\r\n\r\n1. Open the [Device management](https://login.tailscale.com/admin/settings/device-management) page of the admin console.\r\n2. In the **Key Expiry** section, select from 1 to 180 days as the custom authentication period.\r\n3. Select **Save**.\r\n\r\nA change to the **Key Expiry** value applies to any devices that are logged in after you make the change. The key expiration for any devices that are already logged in remains unchanged, until the next time the device is logged in.\r\n\r\n## [Admin console session expiry](https://tailscale.com/docs/features/access-control/key-expiry\\#admin-console-session-expiry)\r\n\r\nA browser session that is accessing the Tailscale [admin console](https://login.tailscale.com/admin) has an expiry of 30 days. This expiry is unrelated to any key expiry. For more information, refer to the topic [Do admin console sessions expire?](https://tailscale.com/docs/reference/admin-console-session-expiry)\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>Key expiry</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p>As a security feature, users need to periodically reauthenticate on\r\neach of their devices. The default expiration period depends on your\r\ndomain setting. By default, new domains are set with an expiry period\r\nof 180 days.</p>\n<p>If reauthentication does not occur, keys expire and connections to/from the\r\ngiven endpoint will stop working.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/key-expiry#disabling-key-expiry\">Disabling key expiry</a></h2>\n<p>Disabling key expiryis available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<p>You may want to disable key expiry on some devices, such as trusted servers, <a href=\"https://tailscale.com/docs/features/subnet-routers\">subnet routers</a>, or remote IoT devices that are hard to reach.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.</li>\n<li>Find the row corresponding to the device you are interested in.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu at the far right and select the <strong>Disable Key Expiry</strong> option:<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fdisable-key-expiry.4683b4d2.png&#x26;w=1200&#x26;q=75\" alt=\"Menu in the admin console with the &#x27;Disable Key Expiry&#x27; option indicated with a red outline.\"></li>\n<li>Done. The keys for that device will no longer expire.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/key-expiry#enabling-key-expiry\">Enabling key expiry</a></h2>\n<p>Enabling key expiryis available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.</li>\n<li>Find the row corresponding to the device you are interested in.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu at the far right and select the <strong>Enable Key Expiry</strong> option:</li>\n<li>Done. The keys for that device are now set with an expiration.</li>\n</ol>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/key-expiry#renewing-keys-for-an-expired-device\">Renewing keys for an expired device</a></h2>\n<p>If keys expire for a device, connections to/from the given endpoint will stop working. For devices that\r\nhave the <a href=\"https://tailscale.com/docs/reference/tailscale-cli\">Tailscale CLI</a>, running <a href=\"https://tailscale.com/docs/reference/tailscale-cli/up\"><code>tailscale up --force-reauth</code></a> (using <code>sudo</code> if needed)\r\nwill renew the keys.</p>\n<p>Be aware that <code>tailscale up --force-reauth</code> might bring down the tailnet connection and thus should not be done remotely over SSH or RDP without an alternate means to log in if the connection is lost.</p>\n<p>However, for remote devices that you've <a href=\"https://tailscale.com/docs/how-to/secure-ubuntu-server-with-ufw\">restricted to Tailscale-only traffic</a>, signing in again without Tailscale access can be difficult or impossible. In these cases, we allow admins of a network to temporarily extend a key's lifetime to help the device owner regain access and reauthenticate.</p>\n<p>To regain access to an expired device:</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/machines\">Machines</a> page of the admin console.</li>\n<li>Find the row corresponding to the device you are interested in.</li>\n<li>Select the <img src=\"https://tailscale.com/files/images/icons/fa-ellipsis-h.svg\" alt=\"ellipsis icon\"> menu at the far right and select the <strong>Temporarily extend key</strong> option. This option only appears for devices with expired keys:<img src=\"https://tailscale.com/_next/image?url=%2F_next%2Fstatic%2Fmedia%2Fextend-key-expiry.1426d027.png&#x26;w=1200&#x26;q=75\" alt=\"Menu in the admin console with the &#x27;Temporarily Extend Key&#x27; option indicated with a red outline.\"></li>\n<li>The key will be extended for 30 minutes. Instruct the owner of the machine to log in and reauthenticate within the extended timeframe, or disable key expiry for this device within that window.</li>\n<li>Once the machine has been reauthenticated, the key should be renewed for your standard expiry time (6 months by default).</li>\n</ol>\n<p>If you're renewing keys for a machine that belongs to you, and it has already signed a new authentication URL, we provide a one-select <strong>Reauthenticate</strong> option in place of <strong>Temporarily extend key</strong>. However, extending the key is the far more common way to regain access.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/key-expiry#using-key-expiry-with-tagged-devices\">Using key expiry with tagged devices</a></h2>\n<p>When you apply a tag to a device for the first time and authenticate it, the tagged device will have <a href=\"https://tailscale.com/docs/features/access-control/key-expiry\">key expiry</a> disabled by default. For more information, refer to <a href=\"https://tailscale.com/docs/features/tags#key-expiry\">Key expiry for tagged devices</a>.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/key-expiry#setting-a-custom-authentication-period\">Setting a custom authentication period</a></h2>\n<p>Setting a custom authentication periodis available for <a href=\"https://tailscale.com/pricing\">all plans</a>.</p>\n<ol>\n<li>Open the <a href=\"https://login.tailscale.com/admin/settings/device-management\">Device management</a> page of the admin console.</li>\n<li>In the <strong>Key Expiry</strong> section, select from 1 to 180 days as the custom authentication period.</li>\n<li>Select <strong>Save</strong>.</li>\n</ol>\n<p>A change to the <strong>Key Expiry</strong> value applies to any devices that are logged in after you make the change. The key expiration for any devices that are already logged in remains unchanged, until the next time the device is logged in.</p>\n<h2><a href=\"https://tailscale.com/docs/features/access-control/key-expiry#admin-console-session-expiry\">Admin console session expiry</a></h2>\n<p>A browser session that is accessing the Tailscale <a href=\"https://login.tailscale.com/admin\">admin console</a> has an expiry of 30 days. This expiry is unrelated to any key expiry. For more information, refer to the topic <a href=\"https://tailscale.com/docs/reference/admin-console-session-expiry\">Do admin console sessions expire?</a></p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}