Docs / Admin

Auth keys

Pre-authentication keys (“auth keys” for short) let you register new nodes without needing to sign in via a web browser. This is most useful when spinning up containers, IoT devices, or using infrastructure-as-code systems like Terraform.

In an upcoming release, each issued auth key will be restricted to only certain ACL tags. For now, an auth key inherits all the network rights of the user who generated it. Be careful!

Step 1: Generate an auth key

As a network admin, visit the auth key page. You can choose between three types:

  • One-off Keys for one-time use.
  • Reusable Keys for multiple uses.
  • Ephemeral Keys for authenticating ephemeral nodes for cloud function services and short-lived devices.

This page also gives you the ability to revoke existing keys.

Be very careful with reusable keys! These can be very dangerous if stolen. They’re best kept in a key vault product specially designed for the purpose.

Step 2: Register a node with the auth key

When you register a node, use the --authkey option to supply the key and bypass interactive login:

sudo tailscale up --authkey tskey-abcdef1432341818

Optional: Revoking a key / node

To revoke a key, visit the same auth key page, locate the key in the table at the bottom, and press “revoke.”

Any nodes authorized with the key will stay authorized, even after the key is revoked. To de-authorize the node, delete it from the machines admin page.

Last updated