> For the complete documentation index, see [llms.txt](https://learn.netmaker.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://learn.netmaker.io/features/keys.md).

# Keys

## **Overview**

Enrollment keys are used to securely authenticate and onboard devices into your networks. Each key defines which network a device may join and provides a controlled way to automate provisioning at scale.

The **Keys** page centralizes the management of all enrollment keys across your tenant, allowing administrators to review, create, rotate, disable, or delete keys as needed.

***

## **Auto Generated Keys**

When a new network is created in Netmaker, the platform automatically generates a default enrollment key for that network. This ensures that each network is immediately ready for device on-boarding without requiring any manual configuration.

![](/files/wTwJ6UupDs3WCjfs2oYP)

These keys inherit the network’s name and appear in the list as examples such as:

* **IoT Network**
* **Netmaker**
* **Private Mesh**
* **Turbo Link**
* **Zero Path**

Auto-generated keys are:

* **Pre-linked to their respective networks**
* **Valid by default**
* **Configured with unlimited expiration**

## Default Enrollment Keys

Enrollment keys are used by devices to join a network via the Netclient. Administrators can assign a **Default Enrollment Key** to each network to streamline and standardize device onboarding.

Each network can have **only one Default Enrollment Key at a time**. When set, this key is automatically used for device enrollment into that network unless another key is explicitly selected during the enrollment process.

When a Default Enrollment Key is configured, it **replaces the use of Auto Generated Keys as the default onboarding method** for that network, ensuring consistent and controlled provisioning behavior.

#### Key capabilities

* Each network supports only **one default enrollment key**
* Overrides Auto Generated Keys as the default onboarding mechanism for that network
* Automatically used for device enrollment unless another key is explicitly selected
* Administrators can change the default key at any time by selecting a different key
* Key tokens can be regenerated without recreating the key, maintaining continuity while improving security

#### Example

**Set as Default**

Use this action to designate a key as the default enrollment key for a network.

<figure><img src="/files/disjzHJG3QiMjeKNsFlJ" alt=""><figcaption></figcaption></figure>

## Key Token Regeneration

Administrators can regenerate a key’s token without recreating the key itself. This allows the existing key configuration (network assignment, settings, tags, and permissions) to remain unchanged while issuing a new secure token for device enrollment.

This is useful for maintaining continuity in deployments while rotating credentials for security or operational reasons.

#### How to regenerate a token

To regenerate a key token, open the desired key and click **Regenerate token**.

<figure><img src="/files/qKswQ2OirGvFvtE2vQn9" alt=""><figcaption></figcaption></figure>

Administrators can also regenerate a key token from the key list. Locate the desired key, click the **More (⋮) menu**, then select **Regenerate token**.<br>

<figure><img src="/files/UCJkF1jRqolx4e8vMh9F" alt=""><figcaption></figcaption></figure>

#### Key capabilities

* Regenerate key tokens without modifying the key configuration
* Preserve all existing settings, including networks, tags, and restrictions
* Maintain continuity for existing workflows while improving security
* Useful for credential rotation and incident response scenarios

## Managing Keys

### Creating a Custom Key

You may create additional keys to support use cases such as:

* **Temporary contractor access** – Issue time-bound keys that expire automatically
* **Short-lived staging environments** – Create limited-use keys for testing and development
* **Separate keys per team or device group** – Organize enrollment by department or function
* **Multi-network access** – Generate a single key that grants access to multiple networks simultaneously
* **Auto-tagging devices** – Automatically apply tags to devices during enrollment for easier organization and policy management
* **Auto-relay configuration** – Enable automatic gateway selection to relay traffic for devices behind restrictive firewalls or NAT

To create a new key:

{% stepper %}
{% step %}

### Navigate to the Keys interface

![](/files/3IeR6Wbw40dqjEAcPdqU)
{% endstep %}

{% step %}

### Click Create Key

{% endstep %}

{% step %}

### Enter a descriptive Name for the key

{% endstep %}

{% step %}

### Select the Type

* **Unlimited** – Key can be used without restrictions
* **Limited number of uses** – Key can only enroll a specific number of devices
* **Time bound** – Key is only valid until a specific date and time
  {% endstep %}

{% step %}

### Choose the target Network(s)

Select one or multiple networks devices can join.

<figure><img src="/files/VaYHoX92a8X5KST9vltR" alt=""><figcaption></figcaption></figure>
{% endstep %}

{% step %}

### (Optional) Enable Auto-select Gateway

Automatically assign the best available gateway.

![](/files/F12yeezGzBpleJZUQ10j)
{% endstep %}

{% step %}

### (Optional) Select a specific Gateway

Assign a specific gateway for devices using this key.

![](/files/08FaJlJZIw0fmerdwXHq)
{% endstep %}

{% step %}

### (Optional) Assign Tags

Tags will be automatically applied to all devices enrolled with this key.

![](/files/4l3f6G3V95VD7XouTAuh)
{% endstep %}

{% step %}

### Create the key and distribute securely

Click **Create Key** and securely distribute to authorized devices.

Keys that provide access to multiple networks or include pre-configured tags streamline device provisioning and reduce manual configuration overhead.
{% endstep %}
{% endstepper %}

### Editing Keys

Administrators can modify any key—including auto-generated ones—at any time. Permitted modifications are limited to **Gateways**, **Auto-select Gateway,** and **Tags**.

<figure><img src="/files/CkXHT8P3UpCmbuKv7vAB" alt=""><figcaption></figcaption></figure>

### Revoking Access

Keys can be deleted instantly. Expired keys cannot be used for new device enrollments.

<figure><img src="/files/5QF2jGtibrh1jf652xNW" alt=""><figcaption></figcaption></figure>

## Best Practices

Follow these best practices to manage enrollment keys effectively.

* **Apply expiration dates for temporary deployments** such as contractor projects or staging environments
* **Immediately delete keys that are no longer needed or may be compromised** to prevent unauthorized access
* **Leverage tags for automatic device organization** to streamline management and policy enforcement
* **Periodically regenerate key tokens** to reduce exposure risk and enforce credential hygiene.
* **Share keys through secure channels** like password managers or encrypted communication, not email or chat
* **Use descriptive naming conventions** that indicate purpose, team, and time period at a glance


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://learn.netmaker.io/features/keys.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.