89 tools from the Tailscale MCP Server, categorised by risk level.
View the Tailscale policy →tailscale_authorize_device Authorize a device that is pending authorization. tailscale_deauthorize_device Deauthorize a device, immediately removing its access to the tailnet. The device will need to be re-authorized to reconnect. tailscale_expire_device Expire a device's key, forcing it to re-authenticate. tailscale_get_acl Get the current ACL policy for your tailnet. Returns the raw policy text with original formatting preserved, including comments and trailing commas... tailscale_get_audit_log Get the tailnet audit/configuration log. Shows who changed what and when — useful for troubleshooting and compliance. tailscale_get_contacts Get the tailnet contact information (security, support, admin emails). tailscale_get_device Get detailed information about a specific device by its ID. tailscale_get_device_invite Get details for a specific device invite. tailscale_get_device_posture_attributes Get all posture attributes for a device, including custom and system-managed attributes. tailscale_get_device_routes Get the subnet routes a device advertises and which are enabled. tailscale_get_dns_configuration Get the unified DNS configuration for your tailnet, including nameservers, search paths, split DNS, and MagicDNS preference in a single call. tailscale_get_dns_preferences Get DNS preferences for your tailnet, including whether MagicDNS is enabled. tailscale_get_key Get details for a specific key (auth key, OAuth client, or federated identity). tailscale_get_log_stream_config Get the log streaming configuration for a specific log type. tailscale_get_log_stream_status Get the status of log streaming for a specific log type. Shows whether logs are being delivered successfully. tailscale_get_nameservers Get the DNS nameservers configured for your tailnet. tailscale_get_network_flow_logs Get network traffic flow logs showing connections between devices. Shows source/destination nodes, timestamps, and traffic metadata — useful for se... tailscale_get_posture_integration Get details for a specific device posture integration. tailscale_get_search_paths Get the DNS search paths configured for your tailnet. tailscale_get_service Get details for a specific Tailscale Service, including its MagicDNS name, virtual IP, and configuration. tailscale_get_service_device_approval Get the approval status of a specific device for a Tailscale Service. tailscale_get_split_dns Get the split DNS configuration for your tailnet. tailscale_get_tailnet_settings Get your tailnet settings (device approval, key expiry, HTTPS certificates, etc.). tailscale_get_user Get details for a specific user. tailscale_get_user_invite Get details for a specific user invite. tailscale_get_webhook Get details for a specific webhook. tailscale_list_device_invites List all device invites for a specific device. tailscale_list_devices List all devices in your tailnet with their status, IP addresses, OS, and last seen time. tailscale_list_keys List keys in your tailnet. By default lists auth keys only. Set 'all' to true to include OAuth clients and federated identities. tailscale_list_log_stream_configs List all log streaming configurations for your tailnet. Fetches both 'configuration' (audit) and 'network' (flow) log stream configs. Log streaming... tailscale_list_posture_integrations List all device posture integrations configured for your tailnet. tailscale_list_service_hosts List devices hosting a specific Tailscale Service. tailscale_list_services List all Tailscale Services in your tailnet. Services provide stable MagicDNS names and virtual IPs, decoupled from individual devices. Note: servi... tailscale_list_user_invites List all user invites for your tailnet. tailscale_list_users List all users in your tailnet. tailscale_list_webhooks List all webhooks configured for your tailnet. tailscale_preview_acl Preview the ACL rules that would apply to a specific user or IP address if a proposed policy were applied. tailscale_resend_contact_verification Resend the verification email for a tailnet contact. tailscale_status Check that the Tailscale API connection is working. Returns your tailnet name, device count, and confirms authentication is valid. Use this to veri... tailscale_test_webhook Send a test event to a webhook endpoint to verify it is configured correctly and receiving events. tailscale_validate_acl Validate an ACL policy without applying it. Returns any errors found, or confirms the policy is valid. tailscale_validate_aws_trust_policy Validate that an AWS IAM role trust policy is correctly configured with the Tailscale external ID. Use this after setting up the IAM role for S3 lo... tailscale_accept_device_invite Accept a device share invitation using the invite URL or code. tailscale_approve_user Approve a pending user, granting them access to the tailnet. tailscale_batch_update_posture_attributes Batch update custom posture attributes across multiple devices. Each attribute key must start with 'custom:'. Uses JSON Merge Patch semantics — pas... tailscale_create_aws_external_id Create or get an AWS external ID for your tailnet. Used when configuring log streaming to S3 — the external ID is included in the IAM role trust po... tailscale_create_device_invite Create a device share invitation that allows an external user to access a specific device in your tailnet. tailscale_create_key Create a new key in your tailnet. Supports auth keys (for adding devices), OAuth clients (for programmatic API access), and federated identities (f... tailscale_create_posture_integration Create a new device posture integration. tailscale_create_user_invite Create a new user invite that allows someone to join your tailnet. tailscale_create_webhook Create a new webhook. tailscale_rename_device Set the name of a device in the tailnet. tailscale_resend_device_invite Resend a device invite email. tailscale_resend_user_invite Resend a user invite email. tailscale_restore_user Restore a previously suspended user, re-granting them access to the tailnet. tailscale_rotate_webhook_secret Rotate a webhook's secret. Returns the new secret — save it immediately, as it cannot be retrieved again. The old secret is immediately invalidated. tailscale_set_contacts Update tailnet contact information. Each provided contact type (account/support/security) is PATCHed in parallel; per-type errors are returned alon... tailscale_set_device_ip Set the Tailscale IPv4 address for a device. tailscale_set_device_posture_attribute Set a custom posture attribute on a device. Creates or updates the attribute. Attribute keys must start with 'custom:'. Useful for compliance track... tailscale_set_device_routes Set the enabled subnet routes for a device. Replaces all currently enabled routes — pass the full list of routes you want enabled. tailscale_set_device_tags Set ACL tags on a device. Replaces all existing tags — pass the full list of tags you want applied. tailscale_set_devices_authorized Authorize or deauthorize multiple devices in one call. Each device's POST runs in parallel; per-device errors are returned alongside the successes ... tailscale_set_dns_configuration Set the unified DNS configuration for your tailnet in a single call. Replaces all DNS settings (nameservers, search paths, split DNS, MagicDNS pref... tailscale_set_dns_preferences Set DNS preferences for your tailnet, such as enabling or disabling MagicDNS. tailscale_set_log_stream_config Set the log streaming configuration for a specific log type. Configures where logs are sent (e.g. Axiom, Datadog, Splunk, Elasticsearch, S3).
Per-... tailscale_set_nameservers Set the DNS nameservers for your tailnet. Replaces all existing nameservers. tailscale_set_search_paths Set the DNS search paths for your tailnet. Replaces all existing search paths. tailscale_set_service_device_approval Approve or reject a device to host a Tailscale Service. tailscale_set_split_dns Set split DNS configuration. Maps domains to specific nameservers. Replaces the entire split DNS configuration. tailscale_suspend_user Suspend a user, immediately revoking their access to the tailnet. Their devices will be disconnected. Can be reversed with tailscale_restore_user. tailscale_update_acl Update the ACL policy for your tailnet. Accepts the full policy as a string to preserve formatting, comments, and trailing commas (HuJSON). You MUS... tailscale_update_device_key Update a device's key settings, such as disabling key expiry. Useful for servers that should never need to re-authenticate. tailscale_update_key Update an existing key. Supported fields depend on the key type: all key types accept 'description'; OAuth clients and federated identities additio... tailscale_update_posture_integration Update an existing posture integration's credentials or configuration. tailscale_update_service Update a Tailscale Service's configuration. tailscale_update_split_dns Partially update split DNS configuration. Merges the provided domains with the existing config — only the specified domains are changed, others are... tailscale_update_tailnet_settings Update tailnet settings (device approval, auto-updates, key expiry, HTTPS certificates, network flow logging, regional routing, posture identity co... tailscale_update_user_role Update a user's role in the tailnet. tailscale_update_webhook Update an existing webhook's endpoint URL and/or subscriptions. tailscale_delete_device Permanently remove a device from the tailnet. This is irreversible — the device must re-authenticate to rejoin. tailscale_delete_device_invite Delete a device invite. This is irreversible — the invite link will stop working. tailscale_delete_device_posture_attribute Delete a custom posture attribute from a device. This is irreversible. tailscale_delete_key Delete a key (auth key, OAuth client, or federated identity). This is irreversible. For auth keys, devices already authenticated are unaffected but... tailscale_delete_log_stream_config Delete a log streaming configuration. Logs will stop being sent to the configured destination. tailscale_delete_posture_integration Delete a posture integration. This is irreversible. tailscale_delete_service Delete a Tailscale Service. This is irreversible — the service's MagicDNS name and virtual IP will be released. tailscale_delete_user Delete a user from the tailnet. This is irreversible — the user and all their devices will be removed. tailscale_delete_user_invite Delete a user invite. This is irreversible — the invite link will stop working. tailscale_delete_webhook Delete a webhook. This is irreversible — the webhook secret cannot be recovered. The Tailscale MCP server exposes 89 tools across 3 categories: Read, Write, Destructive.
Use Intercept, the open-source MCP proxy. Write YAML rules for each tool — rate limits, argument validation, or deny rules — then run Intercept in front of the Tailscale server.
Tailscale tools are categorised as Read (42), Write (37), Destructive (10). Each category has a recommended default policy.
Deterministic policy on every MCP tool call. Per-identity grants. Full audit log.