DocsAPI

Enrolment Keys

Securely onboard devices and streamline enrollment

Overview

Enrolment keys are used to securely authenticate and onboard devices into your networks. Each key defines which network a device may join and provides a controlled way to automate provisioning at scale.

The Keys page centralizes the management of all enrollment keys across your tenant, allowing administrators to review, create, rotate, disable, or delete keys as needed.

Auto Generated Keys

When a new network is created in Netmaker, the platform automatically generates a default enrolment key for that network. This ensures that each network is immediately ready for device on-boarding without requiring any manual configuration.

These keys inherit the network’s name and appear in the list as examples such as:

  • IoT Network

  • Netmaker

  • Private Mesh

  • Turbo Link

  • Zero Path

Auto-generated keys are:

  • Pre-linked to their respective networks

  • Valid by default

  • Configured with unlimited expiration

Managing Keys

Creating a Custom Key

You may create additional keys to support use cases such as:

  • Temporary contractor access – Issue time-bound keys that expire automatically

  • Short-lived staging environments – Create limited-use keys for testing and development

  • Separate keys per team or device group – Organize enrolment by department or function

  • Multi-network access – Generate a single key that grants access to multiple networks simultaneously

  • Auto-tagging devices – Automatically apply tags to devices during enrolment for easier organization and policy management

  • Auto-relay configuration – Enable automatic gateway selection to relay traffic for devices behind restrictive firewalls or NAT

To create a new key:

  1. Navigate to the Keys interface

  2. Click Create Key

  3. Enter a descriptive Name for the key

  4. Select the Type:

    • Unlimited – Key can be used without restrictions

    • Limited number of uses – Key can only enroll a specific number of devices

    • Time bound – Key is only valid until a specific date and time

  5. Choose the target Network(s) – Select one or multiple networks devices can join

  6. (Optional) Enable Auto-select Gateway to automatically assign the best available gateway

  7. (Optional) Select a specific Gateway for devices using this key

  8. (Optional) Assign Tags that will be automatically applied to all devices enrolled with this key

  9. Click Create Key and securely distribute to authorized devices

Keys that provide access to multiple networks or include pre-configured tags streamline device provisioning and reduce manual configuration overhead.

Editing Keys

Administrators can modify any key—including auto-generated ones—at any time. Permitted modifications are limited to Auto-select Gateway settings and Tags.

Revoking Access

Keys can be deleted instantly. Expired keys cannot be used for new device enrollments.

Best Practices

  • Apply expiration dates for temporary deployments such as contractor projects or staging environments

  • Immediately delete keys that are no longer needed or may be compromised to prevent unauthorized access

  • Leverage tags for automatic device organization to streamline management and policy enforcement

  • Maintain an audit trail by documenting key creation, distribution, and recipients

  • Share keys through secure channels like password managers or encrypted communication, not email or chat

  • Use descriptive naming conventions that indicate purpose, team, and time period at a glance