List all devices in the tailnet. Returns all registered devices with their IP addresses, hostname, OS, and connection status.

Get details of a specific device by its ID.

Delete a device from the tailnet. This removes the device and revokes its access. Requires confirm: true.

Authorize a device that is pending approval. Sets the device's authorized status to true.

Get the advertised and enabled subnet routes for a device.

Set the enabled subnet routes for a device. Replaces the current set of enabled routes.

Set ACL tags on a device. Replaces all existing tags. Use an empty array to remove all tags.

Get custom posture attributes for a device. Returns all key-value posture attributes.

Set a custom posture attribute on a device. Creates or updates a single attribute key-value pair.

Expire a device's key, forcing it to re-authenticate. The device remains in the tailnet but loses connectivity until re-authenticated. This is one-directional — once expired, the device must re-auth. Requires confirm: true.

Set a custom display name for a device. This changes the device's 'given name' in Tailscale, not the machine hostname.

Get the global DNS nameservers configured for the tailnet. Also returns whether MagicDNS is enabled.

Set the global DNS nameservers for the tailnet. Replaces all existing nameservers.

Get the DNS search paths configured for the tailnet.

Set the DNS search paths for the tailnet. Replaces all existing search paths.

Get the split DNS configuration for the tailnet. Returns a map of domain names to their resolver IP addresses.

Update split DNS configuration for the tailnet using a PATCH operation. Provide a map of domain names to resolver IP addresses. Use null values to remove a domain.

Get DNS preferences for the tailnet, including MagicDNS status.

Set DNS preferences for the tailnet. Toggle MagicDNS on or off.

Get the current ACL policy for the tailnet as JSON. Returns the full policy including rules, groups, hosts, and tag owners.

Set (replace) the ACL policy for the tailnet. Requires confirm: true. The entire policy is replaced — provide the complete policy.

Preview what the ACL policy would allow for a specific user or IP. Useful for testing before applying changes.

Validate an ACL policy without applying it. Returns any errors or warnings found in the policy.

Run ACL tests defined in the policy's 'tests' field by validating the policy. Returns validation results including test pass/fail outcomes.

List all auth keys for the tailnet. Returns key metadata (but not the secret key values).

Get details of a specific auth key by its ID.

Create a new auth key for the tailnet. Returns the key value — store it securely as it cannot be retrieved again.

Delete (revoke) an auth key. Devices already authenticated with this key will not be affected. Requires confirm: true.

Get the tailnet settings including device approval, auto-updates, key expiry, and posture identity collection.

Get the contact email addresses configured for the tailnet (account, support, and security contacts).

Update contact email addresses for the tailnet. Requires confirm: true. Provide any combination of account, support, or security contacts.

Get the Tailnet Lock status. Tailnet Lock allows requiring cryptographic signatures on all node key registrations.

Update tailnet settings. Requires confirm: true. All settings fields are optional — only provided fields will be updated.

Get a summary of the tailnet status including total device count, online/offline counts, and last-seen timestamps.

Verify API connectivity and authentication by making a lightweight request to the Tailscale API.

Get the current log streaming configuration for the tailnet. Log types: 'configuration' or 'network'.

Configure log streaming for the tailnet. Requires confirm: true. Streams logs to a specified URL endpoint.

Get the custom DERP relay map from the tailnet's ACL policy. Returns the derpMap field from the ACL, or a 'not configured' message if no custom DERP map exists.

Set or update the custom DERP relay map in the tailnet's ACL policy. Requires confirm: true. Custom DERP regions use IDs 900-999. Set omitDefaultRegions: true to replace Tailscale's default relays entirely.

List all users in the tailnet. Optionally filter by type (member/shared) or role (owner/admin/member/auditor/it-admin/network-admin/billing-admin).

Get details for a specific user by their user ID. Returns display name, login, role, status, device count, and last seen.

List all webhook endpoints configured for the tailnet.

Create a new webhook endpoint. Returns the webhook including the signing secret (only shown once). Event types: nodeCreated, nodeApproved, nodeNeedsApproval, nodeKeyExpiringInOneDay, nodeKeyExpired, nodeDeleted, policyUpdate, userCreated, userDeleted, userApproved, userSuspended, userRestored, userRoleUpdated, subnetIPForwardingNotEnabled, exitNodeIPForwardingNotEnabled.

Get details for a specific webhook endpoint by ID.

Delete a webhook endpoint. Requires confirm: true.

List all configured third-party posture provider integrations for the tailnet (e.g., CrowdStrike, Intune, Jamf).

Get details for a specific posture provider integration by ID.

Create a new third-party posture provider integration. Supported providers: crowdstrike, falcon, intune, jamfPro, kandji, kolide, sentinelone. Required fields depend on the provider.

Delete a posture provider integration. Requires confirm: true.