Provides tools for managing devices, DNS/Split DNS, ACL policies, auth keys, users, webhooks, and tailnet settings via the Tailscale API v2.
mcp-tailscale
Slim Tailscale MCP Server for managing devices, DNS/Split DNS, ACL policies, auth keys, users, webhooks, and tailnet settings via Tailscale API v2.
No SSH. No shell execution. API-only. 4 runtime dependencies.
Table of Contents
Features
48 tools across 9 domains:
Devices — List, get, delete, authorize, expire, rename devices; manage routes, tags, and posture attributes
DNS — Global nameservers, search paths, split DNS configuration, MagicDNS preferences
ACL — Get, set, preview, validate, and test ACL policies
Keys — List, get, create, and revoke auth keys
Tailnet — Settings (read/write), contacts, Tailnet Lock status
Users — List and get tailnet users with role/type filtering
Webhooks — Create, list, get, and delete webhook endpoints
Posture Integrations — List, get, create, and delete third-party posture provider integrations
Diagnostics — Tailnet status summary, API connectivity check, log streaming, DERP map
Authentication: API key or OAuth client credentials (auto-refresh)
Quick Start
npm install
cp .env.example .env # Edit with your Tailscale API key and tailnet name
npm run build
node dist/index.js # stdio transport for MCPClaude Code Integration
Add to .mcp.json in your project root:
{
"mcpServers": {
"tailscale": {
"command": "node",
"args": ["/path/to/mcp-tailscale/dist/index.js"],
"env": {
"TAILSCALE_API_KEY": "your-api-key-here",
"TAILSCALE_TAILNET": "your-tailnet-name"
},
"comment": "Or use OAuth: TAILSCALE_OAUTH_CLIENT_ID + TAILSCALE_OAUTH_CLIENT_SECRET instead of TAILSCALE_API_KEY"
}
}
}Skills
Claude Code skills compose MCP tools into higher-level workflows. See .claude/skills/README.md for detailed documentation.
Skill | Slash Command | Description |
tailscale-health |
| Tailnet health dashboard — devices, DNS, ACL, keys, connectivity |
tailscale-live-test |
| Live integration test — read + safe writes with cleanup |
tailscale-acl-management | — | ACL policy management — view, edit, validate, test, drift detection |
tailscale-device-management | — | Device management — list, authorize, routes, tags, posture |
tailscale-dns-management | — | DNS management — split DNS, nameservers, search paths, MagicDNS |
tailscale-key-management | — | Auth key management — create, list, rotate, revoke |
tailscale-onboarding | — | New device onboarding — auth key, authorize, tags, routes, verify |
SSE Transport
By default, mcp-tailscale uses stdio transport. To enable HTTP/SSE:
export TAILSCALE_MCP_TRANSPORT=sse
export TAILSCALE_MCP_AUTH_TOKEN=your-secret-token
export TAILSCALE_MCP_PORT=3000 # optional, default: 3000
export TAILSCALE_MCP_HOST=localhost # optional, default: localhost
node dist/index.jsAll requests require Authorization: Bearer <token>. The server will not start without TAILSCALE_MCP_AUTH_TOKEN.
Configuration
Variable | Required | Default | Description |
| Yes* | — | Tailscale API key (from admin console > Settings > Keys) |
| Yes* | — | OAuth client ID (from admin console > Settings > OAuth) |
| Yes* | — | OAuth client secret |
| Yes | — | Tailnet name (e.g., |
| No |
| API base URL (override for testing) |
| No |
| Request timeout in milliseconds |
*Either
Authentication
API Key: Create at login.tailscale.com/admin/settings/keys. The key needs read/write access to the resources you want to manage.
OAuth Client Credentials: Create at login.tailscale.com/admin/settings/oauth. OAuth tokens auto-refresh before expiry. Recommended for automated/service integrations.
Tools
Devices (11 tools)
Tool | Description |
| List all devices in the tailnet |
| Get device details by ID |
| Delete a device (requires |
| Authorize a pending device |
| Get advertised and enabled routes |
| Set enabled subnet routes |
| Set ACL tags on a device |
| Get custom posture attributes |
| Set a custom posture attribute |
| Expire a device key (requires |
| Set a custom display name for a device |
DNS (8 tools)
Tool | Description |
| Get global DNS nameservers |
| Set global DNS nameservers |
| Get DNS search paths |
| Set DNS search paths |
| Get split DNS configuration |
| Update split DNS configuration (PATCH) |
| Get DNS preferences (MagicDNS) |
| Set DNS preferences |
ACL (5 tools)
Tool | Description |
| Get the current ACL policy |
| Replace the ACL policy (requires |
| Preview ACL policy for a user or IP |
| Validate an ACL policy without applying |
| Run ACL tests defined in the policy |
Keys (4 tools)
Tool | Description |
| List all auth keys |
| Get auth key details |
| Create a new auth key |
| Delete an auth key (requires |
Tailnet (5 tools)
Tool | Description |
| Get tailnet settings |
| Update tailnet settings (requires |
| Get tailnet contact emails |
| Update tailnet contacts (requires |
| Get Tailnet Lock status |
Users (2 tools)
Tool | Description |
| List all users (filter by type/role) |
| Get user details by ID |
Webhooks (4 tools)
Tool | Description |
| List all webhook endpoints |
| Create a webhook endpoint |
| Get webhook details by ID |
| Delete a webhook (requires |
Posture Integrations (4 tools)
Tool | Description |
| List all posture provider integrations |
| Get posture integration details by ID |
| Create a posture provider integration |
| Delete a posture integration (requires |
Diagnostics (5 tools)
Tool | Description |
| Tailnet status summary (device counts, online/offline) |
| Verify API connectivity and authentication |
| Get log streaming configuration |
| Set log streaming configuration (requires |
| Get DERP relay map |
Development
npm run build # Compile TypeScript
npm test # Run unit tests (vitest)
npm run typecheck # Type check only (no emit)See CONTRIBUTING.md for contribution guidelines. See docs/api-reference.md for the Tailscale API v2 endpoint mapping.
License
This project is dual-licensed:
Open Source: GNU Affero General Public License v3.0 (AGPL-3.0) — free for open-source and non-commercial use
Commercial: Available for proprietary integrations — see COMMERCIAL_LICENSE.md
If you use mcp-tailscale in a proprietary product or SaaS offering, a commercial license is required. Support development by sponsoring us on GitHub.
Resources
Looking for Admin?
Admins can modify the Dockerfile, update the server description, and track usage metrics. If you are the server author, to access the admin panel.