# Tailscale MCP Server — 60 tools via DADL

The Tailscale DADL turns Tailscale's API into an MCP server that Claude, GPT or any MCP-compatible agent can consume directly. One YAML file declares all 60 tools — device, user, webhook, acl, posture, log, and more — and ToolMesh serves them at runtime. No Python boilerplate, no per-endpoint code, no separate MCP server process.

Below: the endpoint coverage matrix, a two-block ToolMesh setup, the full tool reference grouped by Tailscale feature area, required credential scopes.

**Source:** [Tailscale REST API](https://tailscale.com/api)

**Updated:** 2026-04-06

**Tags:** cloud, devops, networking, security, crud, webhooks, user-management, authentication, auth:bearer

## Which Tailscale endpoints are covered?

**83%** (58 of ~70 endpoints).

**Focus:** devices, device routes, device posture, users, auth keys, DNS (nameservers, search paths, preferences, split DNS), ACL/policy, webhooks, contacts, tailnet settings, posture integrations, log streaming

**Missing:** OAuth token endpoint, device invites, user invites, services (beta)

*Last reviewed: 2026-04-06*

## How do you configure the Tailscale DADL?

1. Log in to the Tailscale admin console at https://login.tailscale.com/admin
2. Navigate to Settings -> Keys
3. Click 'Generate API key'
4. Set expiry (1-90 days) and copy the key immediately -- it is shown only once
5. Key prefix is tskey-api-. Requires Owner, Admin, IT admin, or Network admin role.
6. Alternative: create an OAuth client under Settings -> OAuth for long-lived automated access

**Environment variable:** `CREDENTIAL_TAILSCALE_API_TOKEN`

[Authentication docs](https://tailscale.com/kb/1101/api)

*API keys expire after 1-90 days and cannot be renewed -- create a new one before expiry. For automation, prefer OAuth clients which support token refresh. Use '-' as the tailnet parameter to target your own tailnet.*

## How do you install the Tailscale MCP server with ToolMesh?

Add to your `backends.yaml`:

```yaml
- name: tailscale
  transport: rest
  dadl: tailscale.dadl

```

Set the credential:

```
CREDENTIAL_TAILSCALE_API_TOKEN=your-token-here
```

## What 60 tools does the Tailscale DADL expose?

- **GET** `list_devices` — List all devices in the tailnet
- **GET** `get_device` — Get details of a specific device
- **DELETE** `delete_device` — Remove a device from the tailnet
- **POST** `authorize_device` — Authorize or deauthorize a device
- **POST** `expire_device_key` — Expire a device's node key, forcing it to re-authenticate
- **POST** `set_device_key` — Set device key properties (e.g. disable key expiry)
- **POST** `set_device_name` — Set custom display name for a device
- **POST** `set_device_tags` — Set ACL tags on a device (replaces existing tags)
- **POST** `set_device_ip` — Set the Tailscale IPv4 address of a device
- **GET** `get_device_routes` — Get advertised and enabled subnet routes for a device
- **POST** `set_device_routes` — Set which subnet routes are enabled for a device
- **GET** `get_device_posture_attributes` — Get custom posture attributes for a device
- **POST** `set_device_posture_attribute` — Set a custom posture attribute on a device
- **DELETE** `delete_device_posture_attribute` — Delete a custom posture attribute from a device
- **GET** `list_users` — List users in the tailnet
- **GET** `get_user` — Get details of a specific user
- **POST** `approve_user` — Approve a pending user
- **POST** `suspend_user` — Suspend a user (disables their access to the tailnet)
- **POST** `restore_user` — Restore a previously suspended user
- **POST** `delete_user` — Delete a user from the tailnet
- **POST** `set_user_role` — Update a user's role in the tailnet
- **GET** `list_keys` — List all auth keys and API access tokens in the tailnet
- **GET** `get_key` — Get details of a specific key
- **POST** `create_auth_key` — Create a new auth key for device registration
- **DELETE** `delete_key` — Revoke and delete a key
- **GET** `get_dns_nameservers` — Get the global DNS nameservers for the tailnet
- **POST** `set_dns_nameservers` — Set the global DNS nameservers (replaces existing list)
- **GET** `get_dns_searchpaths` — Get DNS search paths for the tailnet
- **POST** `set_dns_searchpaths` — Set DNS search paths (replaces existing list)
- **GET** `get_dns_preferences` — Get DNS preferences (MagicDNS status)
- **POST** `set_dns_preferences` — Set DNS preferences (enable/disable MagicDNS)
- **GET** `get_dns_split` — Get split DNS configuration
- **PUT** `set_dns_split` — Replace the entire split DNS configuration
- **PATCH** `patch_dns_split` — Merge updates into the split DNS configuration (existing entries preserved)
- **GET** `get_acl` — Get the current ACL/policy file. Returns ETag header for concurrency control.
- **POST** `set_acl` — Replace the ACL/policy file. Use If-Match header with ETag for optimistic concurrency.
- **POST** `preview_acl` — Preview how ACL rules apply to a specific user or IP:port
- **POST** `validate_acl` — Validate an ACL policy without applying it
- **POST** `test_acl` — Run the test cases defined in the ACL policy
- **GET** `list_webhooks` — List all webhook endpoints in the tailnet
- **POST** `create_webhook` — Create a new webhook endpoint
- **GET** `get_webhook` — Get details of a webhook endpoint
- **PATCH** `update_webhook` — Update a webhook endpoint's subscriptions
- **DELETE** `delete_webhook` — Delete a webhook endpoint
- **POST** `test_webhook` — Send a test event to a webhook endpoint
- **POST** `rotate_webhook_secret` — Rotate the signing secret for a webhook endpoint
- **GET** `get_contacts` — Get tailnet contact emails (account, support, security)
- **PATCH** `update_contact` — Update a contact email address
- **POST** `resend_contact_verification` — Resend verification email for a contact
- **GET** `get_tailnet_settings` — Get tailnet-wide settings (auto-updates, approval, key duration, etc.)
- **PATCH** `update_tailnet_settings` — Update tailnet settings (partial update)
- **GET** `list_posture_integrations` — List device posture integrations (CrowdStrike, Intune, Jamf, etc.)
- **POST** `create_posture_integration` — Create a new posture integration
- **GET** `get_posture_integration` — Get details of a posture integration
- **PATCH** `update_posture_integration` — Update a posture integration
- **DELETE** `delete_posture_integration` — Delete a posture integration
- **GET** `get_log_stream_config` — Get log stream configuration for a log type
- **PUT** `set_log_stream_config` — Set log stream destination (Splunk, Elastic, Datadog, S3, etc.)
- **DELETE** `delete_log_stream_config` — Delete log stream configuration
- **GET** `get_log_stream_status` — Get current status of log streaming

## Which DADLs are related to Tailscale?

- [NetBox](https://www.dadl.ai/d/netbox/) — NetBox DCIM/IPAM API -- full v4 coverage: sites, racks, devices, modules, interfaces, cables, power, IPAM (prefixes, IPs, VLANs, VRFs, route-targets, VLAN translation), virtualization, circuits (including virtual circuits), tenants, contacts, VPN (IKE/IPSec/L2VPN), wireless, extras (webhooks, event-rules, scripts, config-templates, bookmarks, notifications), users/permissions/tokens, and core data sources & jobs
- [Cloudflare](https://www.dadl.ai/d/cloudflare/) — Cloudflare API -- DNS, Pages, Workers, KV, R2, D1, Zones, SSL/TLS, Cache, Load Balancers, Firewall/WAF, Page Rules, Access (Zero Trust), and account management
- [Hetzner Cloud](https://www.dadl.ai/d/hetzner-cloud/) — Hetzner Cloud API -- servers, volumes, networks, load balancers, firewalls, floating IPs, primary IPs, images, SSH keys, placement groups, certificates, and infrastructure metadata
- [Linode](https://www.dadl.ai/d/linode/) — Linode (Akamai) cloud infrastructure API -- compute instances, volumes, DNS, networking, Kubernetes, databases, object storage, and account management
- [Mempool](https://www.dadl.ai/d/mempool/) — mempool.space — Bitcoin block explorer, mempool visualizer, fee estimator, Lightning Network explorer, and transaction accelerator
- [Mikrotik](https://www.dadl.ai/d/mikrotik/) — MikroTik RouterOS REST API -- manage interfaces, IP addresses, routing, firewall, DHCP, DNS, PPP, queues, wireless, system configuration, users, certificates, files, logs, and diagnostics on RouterOS v7.1+ devices

---

**Canonical URL:** https://www.dadl.ai/d/tailscale/
**Raw DADL:** https://github.com/DunkelCloud/dadl-registry/blob/main/tailscale.dadl