Tailscale Key Expiry __top__ · Updated & Proven

For "set-and-forget" systems like servers, subnet routers, or remote IoT devices, you can permanently disable key expiry so they never require manual reauthentication. Go to the page in the Admin Console. Locate the specific device.

If a remote device's key has already expired and you have lost access, Tailscale provides a "safety valve":

Devices that are assigned a tag (like tag:server ) have key expiry disabled by default . This is because tagged devices are viewed as infrastructure rather than personal user devices. 3. Recovering from Expiration tailscale key expiry

By understanding and actively managing , you can significantly improve your tailnet's security posture while enabling smooth automation and device lifecycle management.

No. Tailscale SSH uses separate node keys and ephemeral certificates (default 2‑hour expiry). Auth keys are only for joining nodes. If a remote device's key has already expired

By default, new Tailscale domains have a node key expiry of .

These identify a specific machine on your tailnet. These are the keys that typically expire every 180 days by default, requiring user reauthentication. For "set-and-forget" systems like servers

By following these guidelines, administrators can effectively manage Tailscale key expiry and maintain a secure network.

Admins can grant a 30-minute extension to an expired device from the Machines page.