Get started · 2 minutes

Quickstart

Empty dashboard to 100 devices connected in under 2 minutes, if you have an MDM or Ansible inventory ready. This page walks through signup, auth key, the one-line install command, verification, and basic ACL / posture / SSO hardening.

Post-quantum on every plan Every WireGuard tunnel — free or paid — uses hybrid X25519 + ML-KEM-768 key exchange. You don't need to enable anything. Harvest-now-decrypt-later attacks fail by default.

1. Sign up

Head to login.quickztna.com/auth and sign up with email + password, GitHub / Google OAuth, or SSO (if your org already has an OIDC / SAML tenant configured).

You'll land on an empty dashboard under <your-slug>.zt.net. First account on an org is automatically promoted to owner.

$ curl https://login.quickztna.com/api/auth/signup \
    -H "Content-Type: application/json" \
    -d '{
      "email": "you@company.com",
      "password": "Str0ngP@ssw0rd!",
      "full_name": "Your Name"
    }'

2. Issue a reusable auth key

An auth key (tskey-auth-<random>) is the credential the ztna agent uses to enrol devices. One reusable key covers a 100-device rollout.

$ curl https://login.quickztna.com/api/key-management \
    -H "Authorization: Bearer $QZ_API_KEY" \
    -H "Content-Type: application/json" \
    -d '{
      "action": "create_auth_key",
      "org_id": "org_...",
      "reusable": true,
      "expires_in": 3600,
      "tags": ["tag:laptop", "tag:prod"]
    }'

# 1. Go to https://login.quickztna.com/auth and sign in
# 2. Settings → API Keys → Auth Keys
# 3. Click "Create Auth Key"
#    - Reusable: yes
#    - Ephemeral: no
#    - Expiry: 1 hour
#    - Tags: tag:laptop, tag:prod
# 4. Copy the key — format: tskey-auth-<random>

Auth keys are bearer credentials Treat them like passwords. Set a short expiry (1 hour for rollouts), and revoke the key from the same page once the rollout completes. Machines enrolled with the key remain authenticated via their node_key.

3. Install the agent everywhere

Pipe the installer with ZTNA_AUTH_KEY as an environment variable. The installer detects OS/arch, downloads the correct binary from /api/releases/*, installs a system service, runs ztna login --auth-key $ZTNA_AUTH_KEY, and brings the tunnel up.

$ curl -fsSL https://login.quickztna.com/install.sh \
    | ZTNA_AUTH_KEY=tskey-auth-xxx sh

PS> $env:ZTNA_AUTH_KEY="tskey-auth-xxx"
PS> irm https://login.quickztna.com/install.ps1 | iex

- name: Install QuickZTNA
  shell: curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY={{ ztna_key }} sh
  environment:
    ZTNA_AUTH_KEY: "{{ ztna_key }}"

#cloud-config
runcmd:
  - curl -fsSL https://login.quickztna.com/install.sh | ZTNA_AUTH_KEY=tskey-auth-xxx sh

Parallel rollout completes in about the time it takes for 100 simultaneous downloads. Each device handshakes with the control plane, receives its tailnet IP (100.64.x.x) and MagicDNS name (<host>.<org>.zt.net), and joins the mesh.

4. Verify the mesh

Open the dashboard's Machines view. You should see 100 entries with green heartbeats. From any enrolled device:

$ ztna status
● connected — quantum-safe
  tailnet: acme.zt.net
  ip:      100.64.1.7
  peers:   99 online · 0 offline

$ ztna peers
laptop-prod-01   100.64.1.7   self · tag:laptop
db-primary       100.64.1.12  tag:prod-server · 4.2ms direct
ci-runner-03     100.64.1.18  tag:ci · 38ms direct
eu-edge-07       100.64.1.31  tag:edge · via derp-lon
... 96 more

$ ztna ping db-primary
PING db-primary.acme.zt.net: 4.2ms / 4.5ms / 4.9ms (direct, PQC)

5. Lock it down with ACL + posture

Out of the box, every enrolled device can reach every other device. Before production, write at least one ACL rule. Use the dashboard UI, the AI assistant (natural language), or Terraform.

{
  "name": "laptops-to-prod-business-hours",
  "src": "tag:laptop",
  "dst": "tag:prod-server",
  "proto": "tcp",
  "ports": "22,443,5432",
  "time_hour": "09-18",
  "day_of_week": "mon-fri",
  "source_country": "IN"
}

# Use the AI assistant:
> Laptops can SSH to prod between 9–6 IST on weekdays from India

# Returns the ACL JSON ready to apply.

resource "quickztna_acl_rule" "laptops_prod" {
  name        = "laptops-to-prod-business-hours"
  src         = "tag:laptop"
  dst         = "tag:prod-server"
  proto       = "tcp"
  ports       = "22,443,5432"
  time_hour   = "09-18"
  day_of_week = "mon-fri"
  source_country = "IN"
}

Add device posture requirements under Device Security → Posture Policies. Require disk encryption + OS version ≥ 14 before a device can access tagged resources. Non-compliant devices are automatically quarantined and cannot heartbeat until they remediate.

6. Configure SSO + MFA

Once auth keys are revoked, users should sign in via SSO (Okta, Azure AD, Google Workspace, Auth0, or any OIDC / SAML IdP). Dashboard → Admin → SSO.

On paid plans, enable SCIM 2.0 for automated user lifecycle. Enable TOTP MFA from the same page — replay protected with a 90-second used-code cache, 10 backup codes per user.

Troubleshooting

If something doesn't work on the first try, check these in order:

Installer hangs — outbound HTTPS (443) to login.quickztna.com and releases.quickztna.com must be allowed.
Device shows offline — UDP 3478 (STUN) or WSS 443 (DERP) is blocked. Run ztna netcheck on the device to confirm NAT type and DERP reachability.
Auth key rejected — the key is expired or revoked. Issue a new one.
Two devices can't reach each other — check the ACLs tab. Default allow is on by default but a tag-scoped rule may be restricting.
High latency cross-region — DERP relay fallback is engaged. Fine for most traffic. Direct P2P requires at least one side with reachable UDP.

What's next

API Reference — automate everything via REST
CLI reference — full ztna command surface
Features by plan — what unlocks on Business and Workforce
Security — PQC details, threat model, audit trail

Was this page helpful?

Introduction

API Reference