diff --git a/cmd/headscale/cli/preauthkeys.go b/cmd/headscale/cli/preauthkeys.go
index f6f643a4..681731ae 100644
--- a/cmd/headscale/cli/preauthkeys.go
+++ b/cmd/headscale/cli/preauthkeys.go
@@ -108,15 +108,14 @@ var listPreAuthKeys = &cobra.Command{
 				reusable = fmt.Sprintf("%v", key.GetReusable())
 			}
 
-			var aclTags string
+			aclTags := ""
 
-			if len(key.AclTags) > 0 {
-				for _, tag := range key.AclTags {
-					aclTags += "," + tag
-				}
-				aclTags = strings.TrimLeft(aclTags, ",")
+			for _, tag := range key.AclTags {
+				aclTags += "," + tag
 			}
 
+			aclTags = strings.TrimLeft(aclTags, ",")
+
 			tableData = append(tableData, []string{
 				key.GetId(),
 				key.GetKey(),
diff --git a/grpcv1.go b/grpcv1.go
index 917c2a14..2535b280 100644
--- a/grpcv1.go
+++ b/grpcv1.go
@@ -1,4 +1,4 @@
-//nolint
+// nolint
 package headscale
 
 import (
@@ -106,15 +106,12 @@ func (api headscaleV1APIServer) CreatePreAuthKey(
 		expiration = request.GetExpiration().AsTime()
 	}
 
-	if len(request.AclTags) > 0 {
-		for _, tag := range request.AclTags {
-			err := validateTag(tag)
-
-			if err != nil {
-				return &v1.CreatePreAuthKeyResponse{
-					PreAuthKey: nil,
-				}, status.Error(codes.InvalidArgument, err.Error())
-			}
+	for _, tag := range request.AclTags {
+		err := validateTag(tag)
+		if err != nil {
+			return &v1.CreatePreAuthKeyResponse{
+				PreAuthKey: nil,
+			}, status.Error(codes.InvalidArgument, err.Error())
 		}
 	}
 
@@ -154,7 +151,6 @@ func (api headscaleV1APIServer) ListPreAuthKeys(
 	request *v1.ListPreAuthKeysRequest,
 ) (*v1.ListPreAuthKeysResponse, error) {
 	preAuthKeys, err := api.h.ListPreAuthKeys(request.GetNamespace())
-
 	if err != nil {
 		return nil, err
 	}
diff --git a/preauth_keys.go b/preauth_keys.go
index 5206c43c..1037bc87 100644
--- a/preauth_keys.go
+++ b/preauth_keys.go
@@ -234,10 +234,8 @@ func (key *PreAuthKey) toProto() *v1.PreAuthKey {
 		protoKey.CreatedAt = timestamppb.New(*key.CreatedAt)
 	}
 
-	if len(key.ACLTags) > 0 {
-		for idx := range key.ACLTags {
-			protoKey.AclTags[idx] = key.ACLTags[idx].Tag
-		}
+	for idx := range key.ACLTags {
+		protoKey.AclTags[idx] = key.ACLTags[idx].Tag
 	}
 
 	return &protoKey
diff --git a/protocol_common.go b/protocol_common.go
index 9cb7c67f..b4c6223c 100644
--- a/protocol_common.go
+++ b/protocol_common.go
@@ -358,18 +358,18 @@ func (h *Headscale) handleAuthKeyCommon(
 		if len(aclTags) > 0 {
 			// This conditional preserves the existing behaviour, although SaaS would reset the tags on auth-key login
 			err = h.SetTags(machine, aclTags)
-		}
 
-		if err != nil {
-			log.Error().
-				Caller().
-				Bool("noise", machineKey.IsZero()).
-				Str("machine", machine.Hostname).
-				Strs("aclTags", aclTags).
-				Err(err).
-				Msg("Failed to set tags after refreshing machine")
+			if err != nil {
+				log.Error().
+					Caller().
+					Bool("noise", machineKey.IsZero()).
+					Str("machine", machine.Hostname).
+					Strs("aclTags", aclTags).
+					Err(err).
+					Msg("Failed to set tags after refreshing machine")
 
-			return
+				return
+			}
 		}
 	} else {
 		now := time.Now().UTC()