Product
Solutions
Enterprise
Customers
Docs
Blog
Pricing
Download
Get started - it's free!
Login
© 2025

Node keys

Node keys are cryptographic keys that authenticate and identify devices on your Tailscale network (known as a tailnet). They are a fundamental component in Tailscale's security architecture, working alongside machine keys in a multi-layered approach to secure your network.

Tailscale uses node keys to authenticate devices, authorize access based on user identity and device status, and encrypt traffic between devices. When a device connects to Tailscale:

  1. The device generates a private node key (separate from the machine key).
  2. Tailscale sends the public component of the node key to the coordination server.
  3. You complete authentication through your identity provider (such as OAuth2 or SAML).
  4. After authentication, the coordination server links the node key to both the specific device (machine key) and the user identity.
  5. The coordination server validates the node key against your tailnet's access control policies to determine what resources your device can access.
  6. The coordination server then distributes the public node key to other devices in the tailnet (based on your access control policies).
  7. The device uses the key pair for encrypted connections with other devices.

When an Admin removes a device using the admin console, Tailscale immediately revokes its node key. Both authorization and revocation take effect almost instantly across your entire tailnet.

Machine keys vs. node keys

Tailscale uses machine keys and node keys to manage device identity and device authorization. Machine keys identify physical devices to the Tailscale coordination server. Node keys authorize network access and enable secure connections between devices.

Machine keysNode keys
Generated when Tailscale is first installedGenerated each time a user authenticates
Identify the physical deviceTie the device to a user identity
Used for secure communication with the coordination serverUsed for WireGuard connections between devices
Cannot be rotatedCan be rotated regularly
Pre-authorization can be requiredAutomatically validated against access control policies

Last updated Mar 14, 2025