Key Expiry

As a security feature, users need to periodically reauthenticate on each of their devices. The default expiration period depends on your domain setting. By default, new domains are set with an expiry period of 180 days. Depending on your Pricing plan, you can change the expiration period for your domain.

If reauthentication does not occur, keys expire and connections to/from the given endpoint will stop working.

Disabling key expiry

Disabling key expiry is available for all plans.

You may want to disable key expiry on some devices, such as trusted servers, subnet routers, or remote IoT devices that are hard to reach.

  1. Open the Machines page of the admin console.
  2. Find the row corresponding to the device you are interested in.
  3. Click on the ellipsis icon menu at the far right and select the Disable Key Expiry option:
  4. Done. The keys for that device will no longer expire.

Enabling key expiry

Enabling key expiry is available for all plans.
  1. Open the Machines page of the admin console.
  2. Find the row corresponding to the device you are interested in.
  3. Click on the ellipsis icon menu at the far right and select the Enable Key Expiry option:
  4. Done. The keys for that device are now set with an expiration.

Renewing keys for an expired device

If keys expire for a device, connections to/from the given endpoint will stop working. For devices that have the Tailscale CLI, running tailscale up --force-reauth (using sudo if needed) will renew the keys.

Be aware that tailscale up --force-reauth currently involves bringing down the Tailscale connection and thus should not be done remotely over SSH or RDP.

However, for remote devices that you’ve restricted to Tailscale-only traffic, signing in again without Tailscale access can be difficult or impossible. In these cases, we allow admins of a network to temporarily extend a key’s lifetime to help the device owner regain access and reauthenticate.

To regain access to an expired device:

  1. Open the Machines page of the admin console.
  2. Find the row corresponding to the device you are interested in.
  3. Click on the ellipsis icon menu at the far right and select the Temporarily extend key option. This option only appears for devices with expired keys:
  4. The key will be extended for 30 minutes. Instruct the owner of the machine to log in and reauthenticate within the extended timeframe, or disable key expiry for this device within that window.
  5. Once the machine has been reauthenticated, the key should be renewed for your standard expiry time (6 months by default).

If you’re renewing keys for a machine that belongs to you, and it has already signed a new authentication URL, we provide a one-click Reauthenticate option in place of Temporarily extend key. However, extending the key is the far more common way to regain access.

Using key expiry with tagged devices

When you apply a tag to a device for the first time and authenticate it, the tagged device will have key expiry disabled by default. For more details, see Key expiry for tagged devices.

Setting a custom authentication period

Setting a custom authentication period is available for the Personal, Premium, and Enterprise plans.
  1. Open the Device Management page of the admin console.
  2. In the Key Expiry section, select from 1 to 180 days as the custom authentication period.
  3. Click Save.

Admin console session expiry

A browser session that is accessing the Tailscale admin console has an expiry of 30 days. This expiry is unrelated to any key expiry. For more details, see the topic Do admin console sessions expire?