From c8c3c9d4a01181d2d82f2338256e0acad14445fb Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kristoffer@tailscale.com>
Date: Wed, 7 Jan 2026 15:31:28 +0100
Subject: [PATCH] hscontrol: allow CreatePreAuthKey without user when tags
 provided

Handle case where user is 0 in gRPC layer to support tags-only
auth keys.
---
 hscontrol/db/preauth_keys.go |  2 +-
 hscontrol/grpcv1.go          | 12 ++++++++----
 2 files changed, 9 insertions(+), 5 deletions(-)

diff --git a/hscontrol/db/preauth_keys.go b/hscontrol/db/preauth_keys.go
index a7b848c7..c5904353 100644
--- a/hscontrol/db/preauth_keys.go
+++ b/hscontrol/db/preauth_keys.go
@@ -160,7 +160,7 @@ func (hsdb *HSDatabase) ListPreAuthKeys() ([]types.PreAuthKey, error) {
 	})
 }
 
-// ListPreAuthKeys returns the list of PreAuthKeys for a user.
+// ListPreAuthKeys returns all PreAuthKeys in the database.
 func ListPreAuthKeys(tx *gorm.DB) ([]types.PreAuthKey, error) {
 	var keys []types.PreAuthKey
 
diff --git a/hscontrol/grpcv1.go b/hscontrol/grpcv1.go
index f928fde2..3a862679 100644
--- a/hscontrol/grpcv1.go
+++ b/hscontrol/grpcv1.go
@@ -161,13 +161,17 @@ func (api headscaleV1APIServer) CreatePreAuthKey(
 		}
 	}
 
-	user, err := api.h.state.GetUserByID(types.UserID(request.GetUser()))
-	if err != nil {
-		return nil, err
+	var userID *types.UserID
+	if request.GetUser() != 0 {
+		user, err := api.h.state.GetUserByID(types.UserID(request.GetUser()))
+		if err != nil {
+			return nil, err
+		}
+		userID = user.TypedID()
 	}
 
 	preAuthKey, err := api.h.state.CreatePreAuthKey(
-		user.TypedID(),
+		userID,
 		request.GetReusable(),
 		request.GetEphemeral(),
 		&expiration,