tailscale

tailscale

Tailscale API -- devices, users, auth keys, DNS, ACL/policy, webhooks, contacts, posture integrations, log streaming, and tailnet settings

Source: Tailscale REST API

clouddevopsnetworkingsecuritycrudwebhooksuser-managementauthenticationauth:bearer

Credits: Dunkel Cloud GmbH -- maintainer Updated: 2026-04-06

Coverage

83% (58 of ~70 endpoints)

Focus: devices, device routes, device posture, users, auth keys, DNS (nameservers, search paths, preferences, split DNS), ACL/policy, webhooks, contacts, tailnet settings, posture integrations, log streaming

Missing: OAuth token endpoint, device invites, user invites, services (beta)

Last reviewed: 2026-04-06

Setup

1. Log in to the Tailscale admin console at https://login.tailscale.com/admin
2. Navigate to Settings -> Keys
3. Click 'Generate API key'
4. Set expiry (1-90 days) and copy the key immediately -- it is shown only once
5. Key prefix is tskey-api-. Requires Owner, Admin, IT admin, or Network admin role.
6. Alternative: create an OAuth client under Settings -> OAuth for long-lived automated access

Environment variable: CREDENTIAL_TAILSCALE_API_TOKEN

Authentication docs ↗

API keys expire after 1-90 days and cannot be renewed -- create a new one before expiry. For automation, prefer OAuth clients which support token refresh. Use '-' as the tailnet parameter to target your own tailnet.

Install

Add to your backends.yaml:

- name: tailscale
  transport: rest
  dadl: tailscale.dadl

Set the credential:

CREDENTIAL_TAILSCALE_API_TOKEN=your-token-here

Copy Install Config

Tools (60)

GET list_devices List all devices in the tailnet

GET get_device Get details of a specific device

DELETE delete_device Remove a device from the tailnet

POST authorize_device Authorize or deauthorize a device

POST expire_device_key Expire a device's node key, forcing it to re-authenticate

POST set_device_key Set device key properties (e.g. disable key expiry)

POST set_device_name Set custom display name for a device

POST set_device_tags Set ACL tags on a device (replaces existing tags)

POST set_device_ip Set the Tailscale IPv4 address of a device

GET get_device_routes Get advertised and enabled subnet routes for a device

POST set_device_routes Set which subnet routes are enabled for a device

GET get_device_posture_attributes Get custom posture attributes for a device

POST set_device_posture_attribute Set a custom posture attribute on a device

DELETE delete_device_posture_attribute Delete a custom posture attribute from a device

GET list_users List users in the tailnet

GET get_user Get details of a specific user

POST approve_user Approve a pending user

POST suspend_user Suspend a user (disables their access to the tailnet)

POST restore_user Restore a previously suspended user

POST delete_user Delete a user from the tailnet

POST set_user_role Update a user's role in the tailnet

GET list_keys List all auth keys and API access tokens in the tailnet

GET get_key Get details of a specific key

POST create_auth_key Create a new auth key for device registration

DELETE delete_key Revoke and delete a key

GET get_dns_nameservers Get the global DNS nameservers for the tailnet

POST set_dns_nameservers Set the global DNS nameservers (replaces existing list)

GET get_dns_searchpaths Get DNS search paths for the tailnet

POST set_dns_searchpaths Set DNS search paths (replaces existing list)

GET get_dns_preferences Get DNS preferences (MagicDNS status)

POST set_dns_preferences Set DNS preferences (enable/disable MagicDNS)

GET get_dns_split Get split DNS configuration

PUT set_dns_split Replace the entire split DNS configuration

PATCH patch_dns_split Merge updates into the split DNS configuration (existing entries preserved)

GET get_acl Get the current ACL/policy file. Returns ETag header for concurrency control.

POST set_acl Replace the ACL/policy file. Use If-Match header with ETag for optimistic concurrency.

POST preview_acl Preview how ACL rules apply to a specific user or IP:port

POST validate_acl Validate an ACL policy without applying it

POST test_acl Run the test cases defined in the ACL policy

GET list_webhooks List all webhook endpoints in the tailnet

POST create_webhook Create a new webhook endpoint

GET get_webhook Get details of a webhook endpoint

PATCH update_webhook Update a webhook endpoint's subscriptions

DELETE delete_webhook Delete a webhook endpoint

POST test_webhook Send a test event to a webhook endpoint

POST rotate_webhook_secret Rotate the signing secret for a webhook endpoint

GET get_contacts Get tailnet contact emails (account, support, security)

PATCH update_contact Update a contact email address

POST resend_contact_verification Resend verification email for a contact

GET get_tailnet_settings Get tailnet-wide settings (auto-updates, approval, key duration, etc.)

PATCH update_tailnet_settings Update tailnet settings (partial update)

GET list_posture_integrations List device posture integrations (CrowdStrike, Intune, Jamf, etc.)

POST create_posture_integration Create a new posture integration

GET get_posture_integration Get details of a posture integration

PATCH update_posture_integration Update a posture integration

DELETE delete_posture_integration Delete a posture integration

GET get_log_stream_config Get log stream configuration for a log type

PUT set_log_stream_config Set log stream destination (Splunk, Elastic, Datadog, S3, etc.)

DELETE delete_log_stream_config Delete log stream configuration

GET get_log_stream_status Get current status of log streaming

View on GitHub Raw DADL