Tailscale Key Expiry May 2026

1 year (8760 hours).

No. Tailscale SSH uses separate node keys and ephemeral certificates (default 2‑hour expiry). Auth keys are only for joining nodes. Summary Table | Feature | Auth Key (Pre‑auth) | Node Key | |---------|---------------------|-----------| | Purpose | Join new devices | Authenticate existing device | | Expiry control | User‑configurable | Automatic (24h rotation) | | Default expiry | 30 days | N/A (rotates) | | Max expiry | 1 year (reusable) | N/A | | Can revoke manually? | Yes | No (revoke node instead) | | Affects existing nodes? | No | Yes (if revoked, node loses access) | By understanding and actively managing Tailscale key expiry , you can significantly improve your tailnet's security posture while enabling smooth automation and device lifecycle management. tailscale key expiry

# Generate a key expiring in 72 hours tailscale auth-key --valid-for 72h tailscale auth-key --reusable --valid-for 2160h Generate a key expiring in 1 year (max) tailscale auth-key --reusable --valid-for 8760h 1 year (8760 hours)

No. The maximum is 1 year. This is enforced by Tailscale. Auth keys are only for joining nodes