3by400 facebook   3by400 twitter   3by400 linkedin   3by400 Google+   3by400 blog feed
Have an account?  Login

HELPFUL

Tailscale Key Expiry -

WHEN YOU NEED IT

Tailscale Key Expiry -

| Feature | Auth Key (Pre‑auth) | Node Key | |---------|---------------------|-----------| | Purpose | Join new devices | Authenticate existing device | | Expiry control | User‑configurable | Automatic (24h rotation) | | Default expiry | 30 days | N/A (rotates) | | Max expiry | 1 year (reusable) | N/A | | Can revoke manually? | Yes | No (revoke node instead) | | Affects existing nodes? | No | Yes (if revoked, node loses access) |

| Mistake | Consequence | Fix | |---------|-------------|-----| | Using a 1‑year key for a temporary CI job | Key may leak and be reused | Use 1‑hour expiry + ephemeral | | Forgetting to set expiry | Key lives longer than needed | Always specify --valid-for | | Reusable key without expiry limit | Not allowed (max 1 year) | Accept the 1‑year max or rotate frequently | | Key expires during a long-running deployment | Node fails to join | Use ephemeral nodes + short key, or extend key window | tailscale key expiry

During this window, you must log into the device and run tailscale up --force-reauth (on CLI-based systems) or sign in via the app to fully renew the key. Key Expiry Comparison Summary Node Key (Default) Tagged Devices Default Duration Up to 90 Days Max Duration 180 Days (unless disabled) Can be Disabled? Yes, per-machine Yes (by default) Primary Use Ongoing device access Initial registration Servers/Automation Key expiry · Tailscale Docs | Feature | Auth Key (Pre‑auth) | Node

You can generate a key with custom expiry using the tailscale auth-key command: Key Expiry Comparison Summary Node Key (Default) Tagged

By understanding and actively managing , you can significantly improve your tailnet's security posture while enabling smooth automation and device lifecycle management.

180-day key expiry for security. It’s a safety feature—a way to ensure that if a device is lost or stolen, it doesn’t have a permanent "backdoor" into your private network. For Leo, that silent 180-day timer had just run out at the worst possible moment. The Remote Deadlock Because the key had expired, the server had disconnected itself from the "tailnet." To fix it, Leo normally just had to log in again. But he couldn't log in to the server because he wasn't

Yes, node keys rotate automatically every ~24 hours. This is seamless and requires no action.