Device authorization

Device authorization is a feature that allows Tailscale network administrators to review and approve new devices before they can join the network. This can be used to ensure only trusted devices, such as workplace-managed laptops and phones, can access a network.

Enable device authorization for your network

This feature can be enabled from the Tailscale admin console. Look for Device Authorization in the general settings.

Authorize devices from the admin console

Once this setting is enabled, new devices that access your network will see a notification that their device is awaiting approval. Devices awaiting approval cannot send or receive traffic on your Tailscale network until they are authorized.

To authorize devices, navigate to the Machines page of the admin console. At the top of the list you should see the device with a Needs Authorization badge beneath it.

You can review details about the device and user before deciding whether to authorize it. When you’re ready to authorize the device, click on the ellipsis icon and select Authorize to allow the device to connect to your network.

After authorization, the device will immediately be able to connect. No restarts or toggling needed.

Pre-authorize devices with an auth key

When you generate a new auth key, you can specify that the key should automatically authorize devices for which the auth key is used.

To do this, you must:

  1. Generate an auth key which is pre-authorized.
  2. Then, specify that auth key when authenticating a device. The device is automatically authorized.

Generate an auth key which is pre-authorized

You can generate an auth key with an ACL tag both via the admin console and via API.

In the admin console:

  1. Navigate to the auth keys settings in the admin console.
  2. Click Generate auth key.
  3. Select Pre-authorized. This option is only available if device authorization is enabled for the tailnet.
  4. Click Generate to generate the auth key.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms