Skip to main content
The Infisical Tailscale dynamic secret allows you to generate short-lived Tailscale auth keys, OAuth clients, and federated identities on demand. Each lease creates a new credential in your tailnet, and Infisical automatically revokes it when the lease expires.

Prerequisites

Infisical needs a credential that is allowed to create and revoke keys in your tailnet. You can authenticate with either API access token or OAuth client.
1

Open the Tailscale admin console

Open the Tailscale admin console and select Settings in the top navigation, then open Settings → Keys.Tailscale startTailscale Keys settings
2

Generate an API access token

In the API access tokens section, click Generate access token…, give it a description, set an expiration (up to 90 days), and create the token.Tailscale generate access tokenTailscale access token modalCopy the token and save it for later steps. This token is used by Infisical to create and revoke keys.

Set up Dynamic Secrets with Tailscale

1

Open Secret Overview Dashboard

Open the Secret Overview dashboard and select the environment in which you would like to add a dynamic secret.
2

Click on the 'Add Dynamic Secret' button

Add Dynamic Secret Button
3

Select 'Tailscale'

Dynamic Secret Modal
4

Provide the inputs for dynamic secret parameters

Secret Name
string
required
Name by which you want the secret to be referenced.
Default TTL
string
required
Default time-to-live for a generated lease (e.g. 1h). Must be between 1 minute and 90 days.
Max TTL
string
Maximum time-to-live for a generated lease (e.g. 24h). Must be between 1 minute and 90 days.
Authentication Method
string
required
How Infisical authenticates to the Tailscale API. Choose API Key to use a Tailscale API access token, or OAuth to use an OAuth client’s credentials.
Key Type
string
required
The type of credential to mint on each lease. Choose Auth Key to generate a device auth key, OAuth Client to generate a tailnet OAuth client, or Federated Identity to create a workload identity federation trust. A federated identity returns an identifier and audience rather than a secret. The additional parameters below depend on the key type you select.
API Key
string
required
Required when the authentication method is API Key. The Tailscale API access token with permission to create and revoke keys.
Client ID
string
required
Required when the authentication method is OAuth. The Tailscale OAuth client ID.
Client Secret
string
required
Required when the authentication method is OAuth. The Tailscale OAuth client secret with permission to create and revoke keys.
Tailnet
string
default:"-"
required
The tailnet identifier. Use - for the token owner’s default tailnet, or provide a tailnet name (e.g. example.com).
Description
string
Optional description applied to the created key or OAuth client (max 50 characters).
Tags
string
Comma-separated ACL tags to attach (e.g. tag:ci, tag:prod). Required when the key type is Auth Key and the authentication method is OAuth; optional otherwise.
Reusable
boolean
default:"false"
Whether the auth key can register multiple devices.
Pre-authorized
boolean
default:"false"
Whether devices registered with the key are pre-authorized.
Auth keys are always created as ephemeral. Revoking a lease deletes the corresponding credential in your tailnet, but Tailscale does not remove the devices that already registered with it. Marking the devices ephemeral ensures Tailscale automatically removes them from the tailnet shortly after they go offline, so devices provisioned through a lease are cleaned up without manual intervention.
5

Click `Submit`

After submitting the form, you will see a dynamic secret created in the dashboard.
6

Generate dynamic secrets

Once you’ve successfully configured the dynamic secret, you’re ready to generate on-demand credentials. To do this, simply click on the ‘Generate’ button which appears when hovering over the dynamic secret item. Alternatively, you can initiate the creation of a new lease by selecting ‘New Lease’ from the dynamic secret lease list section.Dynamic SecretDynamic SecretSpecify the Time to Live (TTL) for the lease, then click the Submit button.Provision LeaseOnce you click the Submit button, a new lease will be generated and its values will be shown to you. The values returned depend on the key type:
  • Auth Key: an AUTH_KEY and its KEY_ID.
  • OAuth Client: a CLIENT_ID and CLIENT_SECRET.
  • Federated Identity: a FEDERATED_CREDENTIAL_ID and an AUDIENCE. No secret is issued; the workload authenticates by exchanging its own OIDC token for a short-lived Tailscale token. Dynamic Secret Lease
Copy these values right away. For security reasons, secret values (auth keys and client secrets) are shown only once at creation time and cannot be retrieved again. If the issued credential is a federated identity, you can view its values again in the Tailscale dashboard.

Audit or Revoke Leases

Once you have created one or more leases, you will be able to access them by clicking on the respective dynamic secret item on the dashboard. This will allow you to see the expiration time of the lease or delete a lease before its set time to live. Revoking a lease deletes the corresponding credential in your tailnet. Lease Data

Renew Leases

Tailscale credentials are immutable once created and cannot be renewed. To obtain a fresh credential, generate a new lease instead.