diff --git a/cmd/tailscale/cli/cli.go b/cmd/tailscale/cli/cli.go
index 07c7656df..dca7559cf 100644
--- a/cmd/tailscale/cli/cli.go
+++ b/cmd/tailscale/cli/cli.go
@@ -581,11 +581,11 @@ type sanitizeWriter struct {
 	w io.Writer
 }
 
-var reTskey = regexp.MustCompile(`tskey-\w+`)
+var rxTskey = regexp.MustCompile(`tskey-[\w-]+`)
 
 func (w sanitizeWriter) Write(buf []byte) (int, error) {
-	sanitized := reTskey.ReplaceAll(buf, []byte("tskey-REDACTED"))
-	diff := len(buf) - len(sanitized)
+	sanitized := rxTskey.ReplaceAll(buf, []byte("tskey-REDACTED"))
+	diff := len(sanitized) - len(buf)
 	n, err := w.w.Write(sanitized)
 	return n - diff, err
 }
diff --git a/cmd/tailscale/cli/cli_test.go b/cmd/tailscale/cli/cli_test.go
index 370b730af..ac6a94d52 100644
--- a/cmd/tailscale/cli/cli_test.go
+++ b/cmd/tailscale/cli/cli_test.go
@@ -1799,3 +1799,21 @@ func TestDepsNoCapture(t *testing.T) {
 	}.Check(t)
 
 }
+
+func TestSanitizeWriter(t *testing.T) {
+	buf := new(bytes.Buffer)
+	w := sanitizeOutput(buf)
+
+	in := []byte(`my auth key is tskey-auth-abc123-def456, what's yours?`)
+	want := []byte(`my auth key is tskey-REDACTED, what's yours?`)
+	n, err := w.Write(in)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if n != len(in) {
+		t.Errorf("unexpected write length %d, want %d", n, len(in))
+	}
+	if got := buf.Bytes(); !bytes.Equal(got, want) {
+		t.Errorf("unexpected sanitized content\ngot: %q\nwant: %q", got, want)
+	}
+}