diff --git a/make-auth-key/README.md b/make-auth-key/README.md
new file mode 100644
index 0000000..8719486
--- /dev/null
+++ b/make-auth-key/README.md
@@ -0,0 +1,5 @@
+### Make an auth key from an OAuth client
+
+Set the variables at the top of the script to your environment. 
+
+This will take an OAuth client ID and Secret, and output a new auth key in a JSON object via a pair of API calls. 
\ No newline at end of file
diff --git a/make-auth-key/makeauthkey.sh b/make-auth-key/makeauthkey.sh
new file mode 100755
index 0000000..f0f4a75
--- /dev/null
+++ b/make-auth-key/makeauthkey.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+
+tailnet="tsjustworks.net"
+#read oauth client from files
+oauthsecret=$(<$HOME/keys/${tailnet}.oauth.secret)
+oauthid=$(<$HOME/keys/${tailnet}.oauth.id)
+#tag needs to be supported by the oauth client
+tag="tag:nothing"
+
+#generate api key from oauth client
+apikey=$(curl -sd "client_id=$oauthid" -d "client_secret=$oauthsecret" \
+     "https://api.tailscale.com/api/v2/oauth/token" |jq -j '.access_token' )
+
+#generate auth key with api key
+authkey=$(curl -su $apikey: "https://api.tailscale.com/api/v2/tailnet/$tailnet/keys" \
+  --data-binary '
+{
+  "capabilities": {
+    "devices": {
+      "create": {
+        "reusable": false,
+        "ephemeral": false,
+        "preauthorized": false,
+        "tags": [ "'$tag'" ]
+      }
+    }
+  },
+  "expirySeconds": 86400,
+  "description": "test"
+}'
+)
+
+echo $authkey |jq
\ No newline at end of file