Docs / Admin

Key Expiry

As a security feature, users need to periodically reauthenticate on each of their devices. The default expiration period depends on your domain setting. By default, new trial domains are set with an expiry period of 6 months. Please contact us if you want to change the expiration period for your domain.

If reauthentication does not occur, keys expire and connections to/from the given endpoint will stop working.

Disabling key expiry

You may want to disable key expiry on some devices, such as trusted servers, subnet routers, or remote IoT devices that are hard to reach. You can do this from the admin panel:

  1. Navigate to the machine page.
  2. Find the row corresponding to the device you are interested in.
  3. Click on the ellipsis icon at the far right and select the “Disable Key Expiry” option:
  4. Done. The keys for that device will no longer expire.

Renewing keys for an expired device

If keys expire for a device, connections to/from the given endpoint will stop working. For most devices, renewing the keys is as simple as signing in again (or running sudo tailscale up on Linux).

However, for remote devices that you’ve restricted to Tailscale-only traffic, signing in again without Tailscale access can be difficult or impossible. In these cases, we allow admins of a network to temporarily extend a key’s lifetime to help the device owner regain access and reauthenticate.

To regain access to an expired device:

  1. Navigate to the machine page.
  2. Find the row corresponding to the device you are interested in.
  3. Click on the ellipsis icon at the far right and select the “Temporarily Extend Key” option. This option only appears for devices with expired keys:
  4. The key will be extended for a small amount of time. Instruct the owner of the machine to log in and reauthenticate within the extended timeframe.
  5. Once the machine has been reauthenticated, the key should be renewed for you standard expiry time (6 months by default).

If you’re renewing keys for a machine belongs to you, and it has already signed a new authentication URL, we provide a one-click “reauthenticate” option in place of “temporarily extend key.” However, extending the key is the far more common way to regain access.

Last updated