Renew a device's key seamlessly
Last validated:
The instructions outlined in this topic are provided for versions of the Tailscale client earlier than v1.90, as a manual way to enable seamless key renewal. In Tailscale v1.90 and later, seamless key renewal is enabled by default. We recommend updating devices to the latest version of the client if you are using seamless key renewal.
Seamless key renewal lets you configure your Tailscale network (known as a tailnet) so that Transmission Control Protocol (TCP) connections remain active during renewal of node keys. Without seamless key renewal, a device's TCP connections close and then reconnect. Seamless key renewal is useful when you need to maintain long-running connections for a device, particularly if the device's key expiry has a short duration.
Enable seamless key renewal
To enable seamless key renewal on devices running a version of the Tailscale client earlier than Tailscale v1.90, edit the nodeAttrs section of your tailnet policy file to add seamless-key-renewal as an attribute. This example adds the seamless-key-renewal attribute for devices with the tag:prod tag:
"nodeAttrs": [
{
"target": [
"tag:prod",
],
"attr": ["seamless-key-renewal"],
},
]
The seamless-key-renewal attribute will not have any effect on devices running Tailscale v1.90 and later.
For details about the syntax in this example, refer to node attributes.
Disable seamless key renewal
Disabling seamless key renewal using this method will not affect devices running Tailscale v1.90 or later.
To disable seamless key renewal, remove the seamless-key-renewal attribute from the
nodeAttrs section in your tailnet policy file.