Tailscale Key Expiry |work|

By understanding and actively managing , you can significantly improve your tailnet's security posture while enabling smooth automation and device lifecycle management.

| Feature | Auth Key (Pre‑auth) | Node Key | |---------|---------------------|-----------| | Purpose | Join new devices | Authenticate existing device | | Expiry control | User‑configurable | Automatic (24h rotation) | | Default expiry | 30 days | N/A (rotates) | | Max expiry | 1 year (reusable) | N/A | | Can revoke manually? | Yes | No (revoke node instead) | | Affects existing nodes? | No | Yes (if revoked, node loses access) | tailscale key expiry

Go to → Keys . Each listed key shows:

These are used to register new devices to your tailnet. They have a maximum lifespan of 90 days and cannot have their expiry disabled. However, once a device is registered, it uses its own node key. By understanding and actively managing , you can