Tailscale Key Expiry Page

Revoked keys immediately stop working for new node registrations.

These identify a specific machine on your tailnet. These are the keys that typically expire every 180 days by default, requiring user reauthentication.

# Generate a key expiring in 72 hours tailscale auth-key --valid-for 72h tailscale key expiry

Devices that are assigned a tag (like tag:server ) have key expiry disabled by default . This is because tagged devices are viewed as infrastructure rather than personal user devices. 3. Recovering from Expiration

tailscale auth-key --reusable --valid-for 8760h Revoked keys immediately stop working for new node

Go to → Keys . Each listed key shows:

To rotate Tailscale keys:

Invalid auth key: key expired

You can generate a key with custom expiry using the tailscale auth-key command: # Generate a key expiring in 72 hours

If a node key expires, the device loses all connectivity to the tailnet until it is manually re-authenticated. 2. Disabling Key Expiry