Server Configuration
Describes the environment variables required to run the server.
| Name | Required | Description | Default |
|---|---|---|---|
| TAILSCALE_API_KEY | No | Tailscale API key (from admin console > Settings > Keys). Required if OAuth is not used. | |
| TAILSCALE_API_URL | No | API base URL (override for testing) | https://api.tailscale.com |
| TAILSCALE_TAILNET | No | Tailnet name (e.g., example.com or your org name) | |
| TAILSCALE_TIMEOUT | No | Request timeout in milliseconds | 30000 |
| TAILSCALE_MCP_HOST | No | Host for SSE transport server. | localhost |
| TAILSCALE_MCP_PORT | No | Port for SSE transport server. | 3000 |
| TAILSCALE_MCP_TRANSPORT | No | Transport mode (stdio or sse). Default is stdio. | stdio |
| TAILSCALE_MCP_AUTH_TOKEN | No | Secret token for SSE transport. The server will not start without this if transport is set to sse. | |
| TAILSCALE_OAUTH_CLIENT_ID | No | OAuth client ID (from admin console > Settings > OAuth). Required if API key is not used. | |
| TAILSCALE_OAUTH_CLIENT_SECRET | No | OAuth client secret. Required if API key is not used. |
Capabilities
Features and capabilities supported by this server
| Capability | Details |
|---|---|
| tools | {} |
Tools
Functions exposed to the LLM to take actions
| Name | Description |
|---|---|
| tailscale_device_list | List all devices in the tailnet. Returns all registered devices with their IP addresses, hostname, OS, and connection status. |
| tailscale_device_get | Get details of a specific device by its ID. |
| tailscale_device_delete | Delete a device from the tailnet. This removes the device and revokes its access. Requires confirm: true. |
| tailscale_device_authorize | Authorize a device that is pending approval. Sets the device's authorized status to true. |
| tailscale_device_routes_get | Get the advertised and enabled subnet routes for a device. |
| tailscale_device_routes_set | Set the enabled subnet routes for a device. Replaces the current set of enabled routes. |
| tailscale_device_tags_set | Set ACL tags on a device. Replaces all existing tags. Use an empty array to remove all tags. |
| tailscale_device_posture_get | Get custom posture attributes for a device. Returns all key-value posture attributes. |
| tailscale_device_posture_set | Set a custom posture attribute on a device. Creates or updates a single attribute key-value pair. |
| tailscale_device_expire | Expire a device's key, forcing it to re-authenticate. The device remains in the tailnet but loses connectivity until re-authenticated. This is one-directional — once expired, the device must re-auth. Requires confirm: true. |
| tailscale_device_rename | Set a custom display name for a device. This changes the device's 'given name' in Tailscale, not the machine hostname. |
| tailscale_dns_nameservers_get | Get the global DNS nameservers configured for the tailnet. Also returns whether MagicDNS is enabled. |
| tailscale_dns_nameservers_set | Set the global DNS nameservers for the tailnet. Replaces all existing nameservers. |
| tailscale_dns_searchpaths_get | Get the DNS search paths configured for the tailnet. |
| tailscale_dns_searchpaths_set | Set the DNS search paths for the tailnet. Replaces all existing search paths. |
| tailscale_dns_splitdns_get | Get the split DNS configuration for the tailnet. Returns a map of domain names to their resolver IP addresses. |
| tailscale_dns_splitdns_set | Update split DNS configuration for the tailnet using a PATCH operation. Provide a map of domain names to resolver IP addresses. Use null values to remove a domain. |
| tailscale_dns_preferences_get | Get DNS preferences for the tailnet, including MagicDNS status. |
| tailscale_dns_preferences_set | Set DNS preferences for the tailnet. Toggle MagicDNS on or off. |
| tailscale_acl_get | Get the current ACL policy for the tailnet as JSON. Returns the full policy including rules, groups, hosts, and tag owners. |
| tailscale_acl_set | Set (replace) the ACL policy for the tailnet. Requires confirm: true. The entire policy is replaced — provide the complete policy. |
| tailscale_acl_preview | Preview what the ACL policy would allow for a specific user or IP. Useful for testing before applying changes. |
| tailscale_acl_validate | Validate an ACL policy without applying it. Returns any errors or warnings found in the policy. |
| tailscale_acl_test | Run ACL tests defined in the policy's 'tests' field by validating the policy. Returns validation results including test pass/fail outcomes. |
| tailscale_key_list | List all auth keys for the tailnet. Returns key metadata (but not the secret key values). |
| tailscale_key_get | Get details of a specific auth key by its ID. |
| tailscale_key_create | Create a new auth key for the tailnet. Returns the key value — store it securely as it cannot be retrieved again. |
| tailscale_key_delete | Delete (revoke) an auth key. Devices already authenticated with this key will not be affected. Requires confirm: true. |
| tailscale_tailnet_settings_get | Get the tailnet settings including device approval, auto-updates, key expiry, and posture identity collection. |
| tailscale_tailnet_contacts_get | Get the contact email addresses configured for the tailnet (account, support, and security contacts). |
| tailscale_tailnet_contacts_set | Update contact email addresses for the tailnet. Requires confirm: true. Provide any combination of account, support, or security contacts. |
| tailscale_tailnet_lock_status | Get the Tailnet Lock status. Tailnet Lock allows requiring cryptographic signatures on all node key registrations. |
| tailscale_tailnet_settings_update | Update tailnet settings. Requires confirm: true. All settings fields are optional — only provided fields will be updated. |
| tailscale_status | Get a summary of the tailnet status including total device count, online/offline counts, and last-seen timestamps. |
| tailscale_api_verify | Verify API connectivity and authentication by making a lightweight request to the Tailscale API. |
| tailscale_log_stream_get | Get the current log streaming configuration for the tailnet. Log types: 'configuration' or 'network'. |
| tailscale_log_stream_set | Configure log streaming for the tailnet. Requires confirm: true. Streams logs to a specified URL endpoint. |
| tailscale_derp_map | Get the DERP relay map for the tailnet. Shows all DERP regions and their relay nodes used for traffic routing. |
| tailscale_user_list | List all users in the tailnet. Optionally filter by type (member/shared) or role (owner/admin/member/auditor/it-admin/network-admin/billing-admin). |
| tailscale_user_get | Get details for a specific user by their user ID. Returns display name, login, role, status, device count, and last seen. |
| tailscale_webhook_list | List all webhook endpoints configured for the tailnet. |
| tailscale_webhook_create | Create a new webhook endpoint. Returns the webhook including the signing secret (only shown once). Event types: nodeCreated, nodeApproved, nodeNeedsApproval, nodeKeyExpiringInOneDay, nodeKeyExpired, nodeDeleted, policyUpdate, userCreated, userDeleted, userApproved, userSuspended, userRestored, userRoleUpdated, subnetIPForwardingNotEnabled, exitNodeIPForwardingNotEnabled. |
| tailscale_webhook_get | Get details for a specific webhook endpoint by ID. |
| tailscale_webhook_delete | Delete a webhook endpoint. Requires confirm: true. |
| tailscale_posture_integration_list | List all configured third-party posture provider integrations for the tailnet (e.g., CrowdStrike, Intune, Jamf). |
| tailscale_posture_integration_get | Get details for a specific posture provider integration by ID. |
| tailscale_posture_integration_create | Create a new third-party posture provider integration. Supported providers: crowdstrike, falcon, intune, jamfPro, kandji, kolide, sentinelone. Required fields depend on the provider. |
| tailscale_posture_integration_delete | Delete a posture provider integration. Requires confirm: true. |
Prompts
Interactive templates invoked by user choice
| Name | Description |
|---|---|
No prompts | |
Resources
Contextual data attached and managed by the client
| Name | Description |
|---|---|
No resources | |