ts_acl_set
Apply a full ACL policy to your Tailscale tailnet with automatic validation and optimistic concurrency to prevent silent overwrites from concurrent edits.
Instructions
Apply (POST) a full ACL policy to the tailnet. Requires TAILSCALE_WRITE_ENABLED=true.
Always validates the policy first and refuses to apply on validation failure.
By default uses optimistic concurrency: the current ETag is sent as If-Match
so a concurrent admin edit fails with a clear re-fetch message instead of
silently clobbering. Pass allow_overwrite_concurrent=true to bypass the
guard. Requires a token with ACL policy-file WRITE scope (a read-only key 403s).
Emits a DD-338 _meta envelope (audit_surface: structured).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| policy_json | Yes | Full ACL policy as a JSON string. Replaces the ENTIRE policy file (not a patch). | |
| if_match | No | ETag from a prior read for optimistic concurrency. If omitted, the current ETag is fetched automatically and used as the guard. Ignored when allow_overwrite_concurrent=true. | |
| allow_overwrite_concurrent | No | Skip the If-Match optimistic-concurrency guard and overwrite even if the ACL changed since it was read. Dangerous — defaults to false. |
Output Schema
| Name | Required | Description | Default |
|---|---|---|---|
| result | Yes |