Docs / Admin

Ephemeral nodes

Ephemeral nodes make it easier to connect and then clean up short-lived devices such as containers, cloud functions, or CI/CD systems that spin up and spin down on a regular basis.

By default, when you add a new device to your Tailscale network, it appears in your admin console and in Tailscale client apps. However, short-lived devices can quickly generate hundreds of duplicates and make your network messy and difficult to navigate.

Ephemeral nodes differ from regular nodes in a few ways:

  • They are auto-removed from your network after a short period of inactivity. The next time an ephemeral node is created, it will have a new IP address.
  • They can only be created using ephemeral auth keys, not through the regular authentication flow.

You can identify ephemeral nodes in your admin console by looking for an “ephemeral” tag underneath the device name.

Authenticating an ephemeral node

Step 1: Generate an ephemeral auth key

To create an ephemeral node, you’ll first need to generate an ephemeral auth key from the auth keys page of the admin console.

A screenshot of the admin console, showing the auth key page with ephemeral keys highlighted
Be careful with auth keys! These can be very dangerous if stolen. They’re best kept in a key vault product specially designed for the purpose.

Step 2: Configure your infrastructure to use the key

The simplest way to do this is to update your usual scripts to use the new auth key:

sudo tailscale up --authkey=<your ephemeral key>

Instructions vary by platform. See our guides on setting up common platforms:

Step 3: Trigger a build

The next time your infrastructure spins up a new device, you should see it appear in your admin console as an ephemeral node! It will be able to connect to your network, and will be auto-removed shortly after going offline.


How long before ephemeral devices are auto-removed?

Ephemeral devices are auto-removed anywhere from 30 minutes to 48 hours after the last activity. This timeframe is subject to change as we learn more about what works best for Tailscale users.

Can I create an ephemeral node without an auth key?

Yes, running Tailscale v1.22 or greater. You can run tailscaled with the --state=mem: flag. tailscaled is the Tailscale daemon that runs on devices that have installed the Tailscale client. The --state=mem: flag registers the node as an ephemeral node so that the daemon stores state in memory, instead of writing it to disk.

Last updated

WireGuard is a registered
trademark of Jason A. Donenfeld.

© 2022 Tailscale Inc.

Privacy & Terms