Device approval

Device approval is a feature that allows Tailscale network administrators to review and approve new devices before they can join the network. This can be used to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.

Device approval is available for the Personal, Premium, and Enterprise plans.

Enable device approval for your network

This feature can be enabled from the Device management page of the admin console.

Approve devices from the admin console

Once this setting is enabled, new devices that access your network will see a notification that their device is awaiting approval. Devices awaiting approval cannot send or receive traffic on your Tailscale network until they are approved.

To approve devices, open the Machines page of the admin console. At the top of the list you should see the device with a Needs Approval badge beneath it.

You can review details about the device and user before deciding whether to approve it. When you’re ready to approve the device, click on the ellipsis icon menu and select Approve to allow the device to connect to your network.

After approval, the device will immediately be able to connect. No restarts or toggling needed.

Pre-approve devices with an auth key

When you generate a new auth key, you can specify that the key should automatically approve devices for which the auth key is used.

To do this, you must:

  1. Generate an auth key which is pre-approved.
  2. Then, specify that auth key when authenticating a device. The device is automatically approved.

Generate an auth key which is pre-authorized

You can generate an auth key with an ACL tag both via the admin console and via API.

In the admin console:

  1. Go to the Keys page in the admin console.
  2. In the Auth keys section, click Generate auth key.
  3. Select Pre-approved. This option is only available if device approval is enabled for the tailnet.
  4. Click Generate to generate the auth key.

Automate device approval

When using device approval, you can create a flow to automatically approve a device if it meets specific criteria, such as being on an internal device registry or passing a third-party posture check.

  1. Configure a webhook for nodeNeedsApproval.
  2. Upon receiving webhook messages, verify the node against the information that you need.
  3. Approve the device by sending a POST request to the device authorization API. For example:
curl "https://api.tailscale.com/api/v2/device/11055/authorized" \
-u "tskey-api-xxxxx:" \
--data-binary '{"authorized": true}'

You can also revoke the authorization for a device by calling the same API with {"authorized": false} as the payload.