diff --git a/hscontrol/db/db.go b/hscontrol/db/db.go
index cdc84501..14b72767 100644
--- a/hscontrol/db/db.go
+++ b/hscontrol/db/db.go
@@ -734,6 +734,20 @@ AND auth_key_id NOT IN (
 				},
 				Rollback: func(db *gorm.DB) error { return nil },
 			},
+			// Migrate preauthkey table to make users and tags optional.
+			// Use prefix+hash for keys.
+			{
+				ID: "202505231615-preauthkey-user-optional-tags-user",
+				Migrate: func(tx *gorm.DB) error {
+					err = tx.AutoMigrate(&types.PreAuthKey{})
+					if err != nil {
+						return fmt.Errorf("automigrating types.PreAuthKey: %w", err)
+					}
+
+					return nil
+				},
+				Rollback: func(db *gorm.DB) error { return nil },
+			},
 		},
 	)
 
diff --git a/hscontrol/types/preauth_key.go b/hscontrol/types/preauth_key.go
index 3e4441dd..3c252d74 100644
--- a/hscontrol/types/preauth_key.go
+++ b/hscontrol/types/preauth_key.go
@@ -9,19 +9,30 @@ import (
 
 // PreAuthKey describes a pre-authorization key usable in a particular user.
 type PreAuthKey struct {
-	ID        uint64 `gorm:"primary_key"`
-	Key       string
-	UserID    uint
-	User      User `gorm:"constraint:OnDelete:SET NULL;"`
+	ID uint64 `gorm:"primary_key"`
+
+	// Old Key, for backwards compatibility
+	Key string
+
+	// Encrypted key
+	Prefix string
+	Hash   []byte
+
 	Reusable  bool
 	Ephemeral bool `gorm:"default:false"`
 	Used      bool `gorm:"default:false"`
 
+	// UserID if set, is the owner of the key.
+	// If a node is authenticated with this key, the node
+	// is assigned to this user.
+	UserID *uint `sql:"DEFAULT:NULL"`
+	User   *User
+
 	// Tags are always applied to the node and is one of
 	// the sources of tags a node might have. They are copied
 	// from the PreAuthKey when the node logs in the first time,
 	// and ignored after.
-	Tags []string `gorm:"serializer:json"`
+	Tags []string `gorm:"column:tags;serializer:json"`
 
 	CreatedAt  *time.Time
 	Expiration *time.Time
@@ -48,3 +59,16 @@ func (key *PreAuthKey) Proto() *v1.PreAuthKey {
 
 	return &protoKey
 }
+
+// IsTagged reports if a key is tagged.
+func (key *PreAuthKey) IsTagged() bool {
+	if key.Tags == nil {
+		return false
+	}
+
+	if len(key.Tags) > 0 {
+		return true
+	}
+
+	return false
+}