[Feature] Pre-auth keys without user binding & group tagged devices #895

New Issue

adam · 2025-12-29T02:25:33+01:00

adam commented

2025-12-29 02:25:33 +01:00

Originally created by @alirezamirsepassi on GitHub (Jan 5, 2025).

Use case

It would be super helpful if we could create pre-auth keys without having to bind them to a specific user. This would make the setup process a lot more flexible and align with how Tailscale does it. Sometimes, you just want to provision devices without worrying about assigning them to users upfront.

Also, in the interface, it’d be awesome to have all tagged devices grouped under a "Tagged Devices" section. This would make things much cleaner and easier to navigate, especially when you’re managing a lot of nodes. It just feels like a natural way to organize them.

Description

Pre-auth keys without user binding: Add a way to generate pre-auth keys that don’t require a user assignment. This gives more freedom when onboarding devices, especially for shared or temporary setups.
Group tagged devices: Update the interface to show a dedicated "Tagged Devices" section. It’s a small change, but it would make finding and managing tagged devices so much simpler.

Contribution

I can write the design doc for this feature
I can contribute this feature

How can it be implemented?

For pre-auth keys: Update the backend logic and the database schema so keys can be created without linking them to a user.
For grouping tagged devices: In the function that returns the user profile, check if the node is tagged; if so, use "Tagged Devices" as DisplayName

Originally created by @alirezamirsepassi on GitHub (Jan 5, 2025). ### Use case It would be super helpful if we could create pre-auth keys without having to bind them to a specific user. This would make the setup process a lot more flexible and align with how Tailscale does it. Sometimes, you just want to provision devices without worrying about assigning them to users upfront. Also, in the interface, it’d be awesome to have all tagged devices grouped under a "Tagged Devices" section. This would make things much cleaner and easier to navigate, especially when you’re managing a lot of nodes. It just feels like a natural way to organize them. ### Description 1. **Pre-auth keys without user binding**: Add a way to generate pre-auth keys that don’t require a user assignment. This gives more freedom when onboarding devices, especially for shared or temporary setups. 2. **Group tagged devices**: Update the interface to show a dedicated "Tagged Devices" section. It’s a small change, but it would make finding and managing tagged devices so much simpler. ### Contribution - [ ] I can write the design doc for this feature - [ ] I can contribute this feature ### How can it be implemented? - For pre-auth keys: Update the backend logic and the database schema so keys can be created without linking them to a user. - For grouping tagged devices: In the function that returns the user profile, check if the node is tagged; if so, use "Tagged Devices" as DisplayName

adam added the enhancement no-stale-bot policy 📝tags labels 2025-12-29 02:25:33 +01:00

adam closed this issue

2025-12-29 02:25:33 +01:00

adam commented

2025-12-29 02:25:33 +01:00

@kradalby commented on GitHub (Jan 6, 2025):

Sounds related/overlapping to #1369

@kradalby commented on GitHub (Jan 6, 2025): Sounds related/overlapping to #1369

adam commented

2025-12-29 02:25:34 +01:00

@kradalby commented on GitHub (May 7, 2025):

While tags has not been focused on in this release, it might have been touched up and I would be grateful to hear feedback if the current beta changed anything for this issue.

@kradalby commented on GitHub (May 7, 2025): While tags has not been focused on in this release, it might have been touched up and I would be grateful to hear feedback if the current beta changed anything for this issue.

adam commented

2025-12-29 02:25:34 +01:00

@kradalby commented on GitHub (May 16, 2025):

Pre-auth keys without user binding: Add a way to generate pre-auth keys that don’t require a user assignment. This gives more freedom when onboarding devices, especially for shared or temporary setups.

We will make it so when you create a pre auth key it is either attached to a user (if no tags are given) or a tag. When a device is tagged, it will not be associated with a user.

@kradalby commented on GitHub (May 16, 2025): > Pre-auth keys without user binding: Add a way to generate pre-auth keys that don’t require a user assignment. This gives more freedom when onboarding devices, especially for shared or temporary setups. We will make it so when you create a pre auth key it is _either_ attached to a user (if no tags are given) or a tag. When a device is tagged, it will not be associated with a user.

adam commented

2025-12-29 02:25:34 +01:00

@kradalby commented on GitHub (Dec 11, 2025):

Changes to separate the tags from users has been merged into main in #2885 and #2931. I will encourage you to help testing this if you are able to build main and run it.

I will close this to track progress, but there might still be bugs and the likes related to this change. As part of hardening this feature, we are tracking all related tags bugs over time in v0.28.0 milestone.

@kradalby commented on GitHub (Dec 11, 2025): Changes to separate the tags from users has been merged into `main` in #2885 and #2931. I will encourage you to help testing this if you are able to build `main` and run it. I will close this to track progress, but there might still be bugs and the likes related to this change. As part of hardening this feature, we are tracking all related tags bugs over time in [v0.28.0 milestone](https://github.com/juanfont/headscale/milestone/13).

adam referenced this issue

2025-12-29 02:31:25 +01:00

[PR #895] [MERGED] Simplify code around latest state change map updates #1715

Sign in to join this conversation.

Branches Tags

main

update_flake_lock_action

gh-pages

kradalby/release-v0.27.2

dependabot/go_modules/golang.org/x/crypto-0.45.0

dependabot/go_modules/github.com/opencontainers/runc-1.3.3

copilot/investigate-headscale-issue-2788

copilot/investigate-visibility-issue-2788

copilot/investigate-issue-2833

copilot/debug-issue-2846

copilot/fix-issue-2847

dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0

dependabot/go_modules/github.com/docker/docker-28.3.3incompatible

kradalby/cli-experiement3

doc/0.26.1

doc/0.25.1

doc/0.25.0

doc/0.24.3

doc/0.24.2

doc/0.24.1

doc/0.24.0

kradalby/build-docker-on-pr

topic/docu-versioning

topic/docker-kos

juanfont/fix-crash-node-id

juanfont/better-disclaimer

update-contributors

topic/prettier

revert-1893-add-test-stage-to-docs

add-test-stage-to-docs

remove-node-check-interval

fix-empty-prefix

fix-ephemeral-reusable

bug_report-debuginfo

autogroups

logs-to-stderr

revert-1414-topic/fix_unix_socket

rename-machine-node

port-embedded-derp-tests-v2

port-derp-tests

duplicate-word-linter

update-tailscale-1.36

warn-against-apache

ko-fi-link

more-acl-tests

fix-typo-standalone

parallel-nolint

tparallel-fix

rerouting

ssh-changelog-docs

oidc-cleanup

web-auth-flow-tests

kradalby-gh-runner

fix-proto-lint

remove-funding-links

go-1.19

enable-1.30-in-tests

0.16.x

cosmetic-changes-integration

tmp-fix-integration-docker

fix-integration-docker

configurable-update-interval

show-nodes-online

hs2021

acl-syntax-fixes

ts2021-implementation

fix-spurious-updates

unstable-integration-tests

mandatory-stun

embedded-derp

prtemplate-fix

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: starred/headscale#895