Docs / Admin

Pre-authentication keys

Pre-authentication keys (“auth keys”) allow you to register new nodes without doing an interactive login. This is most useful when spinning up containers, IoT devices, or using infrastructure-as-code systems like Terraform.

In an upcoming release, each issued auth key will be restricted to only certain ACL tags. For now, an auth key inherits all the network rights of the user who generated it. Be careful!

Step 1: Generate an auth key

As a network admin, visit the auth key page. You can choose “One-off Key” for one-time use, or a “Reusable Key” for multiple uses. This page also gives you the ability to revoke existing keys.

Be very careful with multi-use keys! These can be very dangerous if stolen. They’re best kept in a key vault product specially designed for the purpose.

Step 2: Register a node with the auth key

When you register a node, use the --authkey option to supply the key and bypass interactive login:

sudo tailscale up --authkey tskey-abcdef1432341818

Optional: Revoking a key / node

To revoke a key, visit the same auth key page, locate the key in the table at the bottom, and press “revoke.”

Any nodes authorized with the key will stay authorized, even after the key is revoked. To de-authorize the node, delete it from the machines admin page

Last updated