Key Expiry
As a security feature, users need to periodically reauthenticate on each of their devices. The default expiration period depends on your domain setting. By default, new domains are set with an expiry period of 180 days. You can change the expiration period for your domain from the admin console, from 1 to 180 days (see the Key Expiry setting).
If reauthentication does not occur, keys expire and connections to/from the given endpoint will stop working.
Disabling key expiry
You may want to disable key expiry on some devices, such as trusted servers, subnet routers, or remote IoT devices that are hard to reach.
- Open the Machines page of the admin console.
- Find the row corresponding to the device you are interested in.
- Click on the
at the far right and select the Disable Key Expiry option:
- Done. The keys for that device will no longer expire.
Renewing keys for an expired device
If keys expire for a device, connections to/from the given endpoint will stop working. For devices that
have the Tailscale CLI, running tailscale up --force-reauth
(using sudo
if needed)
will renew the keys.
tailscale up --force-reauth
currently involves bringing down the Tailscale connection
and thus should not be done remotely over SSH or RDP.However, for remote devices that you’ve restricted to Tailscale-only traffic, signing in again without Tailscale access can be difficult or impossible. In these cases, we allow admins of a network to temporarily extend a key’s lifetime to help the device owner regain access and reauthenticate.
To regain access to an expired device:
- Open the Machines page of the admin console.
- Find the row corresponding to the device you are interested in.
- Click on the
at the far right and select the Temporarily extend key option. This option only appears for devices with expired keys:
- The key will be extended for a small amount of time. Instruct the owner of the machine to log in and reauthenticate within the extended timeframe.
- Once the machine has been reauthenticated, the key should be renewed for your standard expiry time (6 months by default).
If you’re renewing keys for a machine that belongs to you, and it has already signed a new authentication URL, we provide a one-click Reauthenticate option in place of Temporarily extend key. However, extending the key is the far more common way to regain access.