Skip to main content
Glama
Groupthink-dev

tailscale-blade-mcp

Server Configuration

Describes the environment variables required to run the server.

NameRequiredDescriptionDefault
TAILSCALE_API_KEYYesTailscale API access token (tskey-api-...) or OAuth Bearer token.
TAILSCALE_MCP_API_TOKENNoOptional Bearer token for HTTP transport authentication.
TAILSCALE_WRITE_ENABLEDNoSet to 'true' to enable write operations.false

Capabilities

Features and capabilities supported by this server

CapabilityDetails
tools
{
  "listChanged": true
}
logging
{}
prompts
{
  "listChanged": false
}
resources
{
  "subscribe": false,
  "listChanged": false
}
extensions
{
  "io.modelcontextprotocol/ui": {}
}
experimental
{}

Tools

Functions exposed to the LLM to take actions

NameDescription
ts_infoA

Health check: device counts, online/offline, key expiry warnings, updates, tailnet settings, write gate.

ts_devicesA

List all devices: hostname, OS, IP, online/offline, key expiry, tags, update status.

Optional scope arg filters devices by DD-278 scope-tag mapping (configurable via TAILSCALE_SCOPE_{INFRASTRUCTURE,PERSONAL,HOME}_TAGS). Output includes a Track 3 _meta envelope as a JSON tail line.

ts_deviceA

Full detail for a single device: addresses, OS, client version, key status, tags, user.

Single-record fetch — server-side filter is device_id-shaped, not tag-shaped. The _meta envelope is emitted for audit-surface uniformity; scope= is intentionally NOT accepted here because a scope filter on a single-device-detail call is semantically incoherent.

ts_device_routesA

Routes for a device: advertised subnets, approved/unapproved status.

Emits a DD-338 _meta envelope (audit_surface: structured) disclosing the device_id= server-side discrimination + the routes-row cardinality (advertised + enabled, union).

ts_dnsB

DNS configuration: nameservers, MagicDNS status, search paths, split DNS rules.

ts_aclA

ACL policy summary: groups, rules, SSH rules, tag owners. Shows who can talk to whom.

ts_acl_validateA

Validate an ACL policy without applying it. Returns errors or 'passed'.

ts_acl_setA

Apply (POST) a full ACL policy to the tailnet. Requires TAILSCALE_WRITE_ENABLED=true.

Always validates the policy first and refuses to apply on validation failure. By default uses optimistic concurrency: the current ETag is sent as If-Match so a concurrent admin edit fails with a clear re-fetch message instead of silently clobbering. Pass allow_overwrite_concurrent=true to bypass the guard. Requires a token with ACL policy-file WRITE scope (a read-only key 403s). Emits a DD-338 _meta envelope (audit_surface: structured).

ts_keysA

List auth keys: ID, description, reusable/ephemeral/preauth flags, tags, expiry.

Optional scope arg filters keys by DD-278 scope-tag mapping. Output includes a Track 3 _meta envelope as a JSON tail line.

ts_usersA

List users: name, login, role, status, device count, online/last seen. Sorted by case-folded loginName ascending (numeric id tie-break).

ts_webhooksA

List configured webhooks: endpoint URL, event subscriptions, created date. Sorted by endpointId ascending.

ts_audit_logA

Configuration audit log: who changed what, when. Recent entries first.

Optional scope arg filters audit entries to those whose target is a device with a tag in the scope set. Requires a secondary fetch of the device-tag map (uncached at v1). Entries with non-device targets are excluded when scope is provided.

ts_authorize_deviceA

Authorize or deauthorize a device. Requires TAILSCALE_WRITE_ENABLED=true.

ts_set_tagsA

Set ACL tags on a device. Replaces existing tags. Requires TAILSCALE_WRITE_ENABLED=true.

ts_expire_deviceA

Force key expiry on a device — it must re-authenticate. Requires TAILSCALE_WRITE_ENABLED=true.

ts_approve_routesA

Approve subnet routes on a device. Requires TAILSCALE_WRITE_ENABLED=true.

Default (replace=false): additive — reads the device's currently enabled routes first and approves the union, so previously approved routes are preserved.

replace=true: raw Tailscale set-routes REPLACE semantics — the enabled set becomes exactly routes; any currently enabled route not listed is de-approved, which can sever subnet connectivity. Use only when you intend to remove approvals.

ts_create_keyA

Create a new auth key. Requires TAILSCALE_WRITE_ENABLED=true.

ts_delete_keyA

Revoke an auth key. Requires TAILSCALE_WRITE_ENABLED=true and confirm=true.

ts_delete_deviceA

Delete a device from the tailnet. Requires TAILSCALE_WRITE_ENABLED=true and confirm=true.

Prompts

Interactive templates invoked by user choice

NameDescription

No prompts

Resources

Contextual data attached and managed by the client

NameDescription

No resources

Latest Blog Posts

MCP directory API

We provide all the information about MCP servers via our MCP API.

curl -X GET 'https://glama.ai/api/mcp/v1/servers/Groupthink-dev/tailscale-blade-mcp'

If you have feedback or need assistance with the MCP directory API, please join our Discord server