diff --git a/tstest/integration/integration_test.go b/tstest/integration/integration_test.go
index 18a7e0aa5..321072172 100644
--- a/tstest/integration/integration_test.go
+++ b/tstest/integration/integration_test.go
@@ -315,7 +315,7 @@ func TestAddPingRequest(t *testing.T) {
 		t.Fatalf("expected 1 node, got %d nodes", len(nodes))
 	}
 
-	nodeKey := nodes[0].Key
+	nodeKey := nodes[0].Key.AsNodePublic()
 
 	// Check that we get at least one ping reply after 10 tries.
 	for try := 1; try <= 10; try++ {
diff --git a/tstest/integration/testcontrol/testcontrol.go b/tstest/integration/testcontrol/testcontrol.go
index 1c83bfe67..a674381a4 100644
--- a/tstest/integration/testcontrol/testcontrol.go
+++ b/tstest/integration/testcontrol/testcontrol.go
@@ -58,13 +58,13 @@ type Server struct {
 	cond          *sync.Cond // lazily initialized by condLocked
 	pubKey        key.MachinePublic
 	privKey       key.ControlPrivate // not strictly needed vs. MachinePrivate, but handy to test type interactions.
-	nodes         map[tailcfg.NodeKey]*tailcfg.Node
-	users         map[tailcfg.NodeKey]*tailcfg.User
-	logins        map[tailcfg.NodeKey]*tailcfg.Login
+	nodes         map[key.NodePublic]*tailcfg.Node
+	users         map[key.NodePublic]*tailcfg.User
+	logins        map[key.NodePublic]*tailcfg.Login
 	updates       map[tailcfg.NodeID]chan updateType
 	authPath      map[string]*AuthPath
-	nodeKeyAuthed map[tailcfg.NodeKey]bool // key => true once authenticated
-	pingReqsToAdd map[tailcfg.NodeKey]*tailcfg.PingRequest
+	nodeKeyAuthed map[key.NodePublic]bool // key => true once authenticated
+	pingReqsToAdd map[key.NodePublic]*tailcfg.PingRequest
 }
 
 // BaseURL returns the server's base URL, without trailing slash.
@@ -103,7 +103,7 @@ func (s *Server) condLocked() *sync.Cond {
 
 // AwaitNodeInMapRequest waits for node k to be stuck in a map poll.
 // It returns an error if and only if the context is done first.
-func (s *Server) AwaitNodeInMapRequest(ctx context.Context, k tailcfg.NodeKey) error {
+func (s *Server) AwaitNodeInMapRequest(ctx context.Context, k key.NodePublic) error {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	cond := s.condLocked()
@@ -135,11 +135,11 @@ func (s *Server) AwaitNodeInMapRequest(ctx context.Context, k tailcfg.NodeKey) e
 
 // AddPingRequest sends the ping pr to nodeKeyDst. It reports whether it did so. That is,
 // it reports whether nodeKeyDst was connected.
-func (s *Server) AddPingRequest(nodeKeyDst tailcfg.NodeKey, pr *tailcfg.PingRequest) bool {
+func (s *Server) AddPingRequest(nodeKeyDst key.NodePublic, pr *tailcfg.PingRequest) bool {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.pingReqsToAdd == nil {
-		s.pingReqsToAdd = map[tailcfg.NodeKey]*tailcfg.PingRequest{}
+		s.pingReqsToAdd = map[key.NodePublic]*tailcfg.PingRequest{}
 	}
 	// Now send the update to the channel
 	node := s.nodeLocked(nodeKeyDst)
@@ -154,7 +154,7 @@ func (s *Server) AddPingRequest(nodeKeyDst tailcfg.NodeKey, pr *tailcfg.PingRequ
 }
 
 type AuthPath struct {
-	nodeKey tailcfg.NodeKey
+	nodeKey key.NodePublic
 
 	closeOnce sync.Once
 	ch        chan struct{}
@@ -254,7 +254,7 @@ func (s *Server) serveMachine(w http.ResponseWriter, r *http.Request) {
 }
 
 // Node returns the node for nodeKey. It's always nil or cloned memory.
-func (s *Server) Node(nodeKey tailcfg.NodeKey) *tailcfg.Node {
+func (s *Server) Node(nodeKey key.NodePublic) *tailcfg.Node {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	return s.nodeLocked(nodeKey)
@@ -263,7 +263,7 @@ func (s *Server) Node(nodeKey tailcfg.NodeKey) *tailcfg.Node {
 // nodeLocked returns the node for nodeKey. It's always nil or cloned memory.
 //
 // s.mu must be held.
-func (s *Server) nodeLocked(nodeKey tailcfg.NodeKey) *tailcfg.Node {
+func (s *Server) nodeLocked(nodeKey key.NodePublic) *tailcfg.Node {
 	return s.nodes[nodeKey].Clone()
 }
 
@@ -272,20 +272,21 @@ func (s *Server) AddFakeNode() {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.nodes == nil {
-		s.nodes = make(map[tailcfg.NodeKey]*tailcfg.Node)
+		s.nodes = make(map[key.NodePublic]*tailcfg.Node)
 	}
-	nk := key.NewNode().Public().AsNodeKey()
+	nk := key.NewNode().Public()
 	mk := key.NewMachine().Public()
 	dk := tailcfg.DiscoKeyFromDiscoPublic(key.NewDisco().Public())
-	id := int64(binary.LittleEndian.Uint64(nk[:]))
-	ip := netaddr.IPv4(nk[0], nk[1], nk[2], nk[3])
+	r := nk.Raw32()
+	id := int64(binary.LittleEndian.Uint64(r[:]))
+	ip := netaddr.IPv4(r[0], r[1], r[2], r[3])
 	addr := netaddr.IPPrefixFrom(ip, 32)
 	s.nodes[nk] = &tailcfg.Node{
 		ID:                tailcfg.NodeID(id),
 		StableID:          tailcfg.StableNodeID(fmt.Sprintf("TESTCTRL%08x", id)),
 		User:              tailcfg.UserID(id),
 		Machine:           mk,
-		Key:               nk,
+		Key:               nk.AsNodeKey(),
 		MachineAuthorized: true,
 		DiscoKey:          dk,
 		Addresses:         []netaddr.IPPrefix{addr},
@@ -306,14 +307,14 @@ func (s *Server) AllNodes() (nodes []*tailcfg.Node) {
 	return nodes
 }
 
-func (s *Server) getUser(nodeKey tailcfg.NodeKey) (*tailcfg.User, *tailcfg.Login) {
+func (s *Server) getUser(nodeKey key.NodePublic) (*tailcfg.User, *tailcfg.Login) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.users == nil {
-		s.users = map[tailcfg.NodeKey]*tailcfg.User{}
+		s.users = map[key.NodePublic]*tailcfg.User{}
 	}
 	if s.logins == nil {
-		s.logins = map[tailcfg.NodeKey]*tailcfg.Login{}
+		s.logins = map[key.NodePublic]*tailcfg.Login{}
 	}
 	if u, ok := s.users[nodeKey]; ok {
 		return u, s.logins[nodeKey]
@@ -353,7 +354,7 @@ func (s *Server) authPathDone(authPath string) <-chan struct{} {
 	return nil
 }
 
-func (s *Server) addAuthPath(authPath string, nodeKey tailcfg.NodeKey) {
+func (s *Server) addAuthPath(authPath string, nodeKey key.NodePublic) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	if s.authPath == nil {
@@ -385,7 +386,7 @@ func (s *Server) CompleteAuth(authPathOrURL string) bool {
 		panic("zero AuthPath.NodeKey")
 	}
 	if s.nodeKeyAuthed == nil {
-		s.nodeKeyAuthed = map[tailcfg.NodeKey]bool{}
+		s.nodeKeyAuthed = map[key.NodePublic]bool{}
 	}
 	s.nodeKeyAuthed[ap.nodeKey] = true
 	ap.CompleteSuccessfully()
@@ -433,10 +434,12 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey key.
 		// some follow-ups? For now all are successes.
 	}
 
-	user, login := s.getUser(req.NodeKey)
+	nk := req.NodeKey.AsNodePublic()
+
+	user, login := s.getUser(nk)
 	s.mu.Lock()
 	if s.nodes == nil {
-		s.nodes = map[tailcfg.NodeKey]*tailcfg.Node{}
+		s.nodes = map[key.NodePublic]*tailcfg.Node{}
 	}
 
 	machineAuthorized := true // TODO: add Server.RequireMachineAuth
@@ -449,7 +452,7 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey key.
 		v6Prefix,
 	}
 
-	s.nodes[req.NodeKey] = &tailcfg.Node{
+	s.nodes[nk] = &tailcfg.Node{
 		ID:                tailcfg.NodeID(user.ID),
 		StableID:          tailcfg.StableNodeID(fmt.Sprintf("TESTCTRL%08x", int(user.ID))),
 		User:              user.ID,
@@ -461,7 +464,7 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey key.
 		Hostinfo:          *req.Hostinfo,
 	}
 	requireAuth := s.RequireAuth
-	if requireAuth && s.nodeKeyAuthed[req.NodeKey] {
+	if requireAuth && s.nodeKeyAuthed[nk] {
 		requireAuth = false
 	}
 	s.mu.Unlock()
@@ -471,7 +474,7 @@ func (s *Server) serveRegister(w http.ResponseWriter, r *http.Request, mkey key.
 		randHex := make([]byte, 10)
 		crand.Read(randHex)
 		authPath := fmt.Sprintf("/auth/%x", randHex)
-		s.addAuthPath(authPath, req.NodeKey)
+		s.addAuthPath(authPath, nk)
 		authURL = s.BaseURL() + authPath
 	}
 
@@ -535,7 +538,7 @@ func (s *Server) UpdateNode(n *tailcfg.Node) (peersToUpdate []tailcfg.NodeID) {
 	if n.Key.IsZero() {
 		panic("zero nodekey")
 	}
-	s.nodes[n.Key] = n.Clone()
+	s.nodes[n.Key.AsNodePublic()] = n.Clone()
 	for _, n2 := range s.nodes {
 		if n.ID != n2.ID {
 			peersToUpdate = append(peersToUpdate, n2.ID)
@@ -578,7 +581,7 @@ func (s *Server) serveMap(w http.ResponseWriter, r *http.Request, mkey key.Machi
 	jitter := time.Duration(rand.Intn(8000)) * time.Millisecond
 	keepAlive := 50*time.Second + jitter
 
-	node := s.Node(req.NodeKey)
+	node := s.Node(req.NodeKey.AsNodePublic())
 	if node == nil {
 		http.Error(w, "node not found", 400)
 		return
@@ -690,12 +693,13 @@ var keepAliveMsg = &struct {
 //
 // No updates to s are done here.
 func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse, err error) {
-	node := s.Node(req.NodeKey)
+	nk := req.NodeKey.AsNodePublic()
+	node := s.Node(nk)
 	if node == nil {
 		// node key rotated away (once test server supports that)
 		return nil, nil
 	}
-	user, _ := s.getUser(req.NodeKey)
+	user, _ := s.getUser(nk)
 	res = &tailcfg.MapResponse{
 		Node:            node,
 		DERPMap:         s.DERPMap,
@@ -727,9 +731,9 @@ func (s *Server) MapResponse(req *tailcfg.MapRequest) (res *tailcfg.MapResponse,
 
 	// Consume the PingRequest while protected by mutex if it exists
 	s.mu.Lock()
-	if pr, ok := s.pingReqsToAdd[node.Key]; ok {
+	if pr, ok := s.pingReqsToAdd[nk]; ok {
 		res.PingRequest = pr
-		delete(s.pingReqsToAdd, node.Key)
+		delete(s.pingReqsToAdd, nk)
 	}
 	s.mu.Unlock()
 	return res, nil