From 9c3a420e158e32e8dcfa8b63a0794d4296d9abe7 Mon Sep 17 00:00:00 2001
From: Alex Chan <alexc@tailscale.com>
Date: Mon, 22 Dec 2025 13:38:13 +0000
Subject: [PATCH] cmd/tailscale/cli: document why there's no --force-reauth on
 login

Change-Id: Ied799fefbbb4612c7ba57b8369a418b7704eebf8
Updates #18273
Signed-off-by: Alex Chan <alexc@tailscale.com>
---
 cmd/tailscale/cli/up.go | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/cmd/tailscale/cli/up.go b/cmd/tailscale/cli/up.go
index 2a3cbf75a..d6971a681 100644
--- a/cmd/tailscale/cli/up.go
+++ b/cmd/tailscale/cli/up.go
@@ -137,6 +137,9 @@ func newUpFlagSet(goos string, upArgs *upArgsT, cmd string) *flag.FlagSet {
 		// Some flags are only for "up", not "login".
 		upf.BoolVar(&upArgs.json, "json", false, "output in JSON format (WARNING: format subject to change)")
 		upf.BoolVar(&upArgs.reset, "reset", false, "reset unspecified settings to their default values")
+
+		// There's no --force-reauth flag on "login" because all login commands
+		// trigger a reauth.
 		upf.BoolVar(&upArgs.forceReauth, "force-reauth", false, "force reauthentication (WARNING: this may bring down the Tailscale connection and thus should not be done remotely over SSH or RDP)")
 		registerAcceptRiskFlag(upf, &upArgs.acceptedRisks)
 	}