productivity
Tailscale MCP, CLI, and Lua Integration for AI Agents
Tailscale integration docs for AI agents: MCP gateway setup, Tailscale CLI commands, Lua API reference, credentials, and function schemas.Tailscale for agents
Credentials can be configured manually in web or CLI hosts.
Use this integration from Lua code mode, the headless integrations CLI, or the KosmoKrator MCP gateway. The same package metadata powers all three surfaces.
Agent Surfaces
Machine-Readable Metadata
Function Catalog
| Function | Type | Parameters | Description |
|---|---|---|---|
tailscale.tailscale_list_tailnet_devices | Read read | 0 | List tailnet devices Official Tailscale endpoint: GET /tailnet/{tailnet}/devices Lists the devices in a tailnet. OAuth Scope: `devices:core:read`. |
tailscale.tailscale_batch_update_custom_device_posture_attributes | Write write | 0 | Batch update custom device posture attributes Official Tailscale endpoint: PATCH /tailnet/{tailnet}/device-attributes Batch updates posture attributes across devices in a tailnet. This endpoint uses [JSON Merge Patch](https://datatracker.ie |
tailscale.tailscale_get_device | Read read | 0 | Get a device Official Tailscale endpoint: GET /device/{deviceId} Retrieve the details for the specified device. OAuth Scope: `devices:core:read`. |
tailscale.tailscale_delete_device | Write write | 0 | Delete a device Official Tailscale endpoint: DELETE /device/{deviceId} Deletes the device from its tailnet. The device must belong to the requesting user's tailnet. Deleting devices shared with the tailnet is not supported. OAuth Scope: `de |
tailscale.tailscale_expire_device_key | Write write | 0 | Expire a device's key Official Tailscale endpoint: POST /device/{deviceId}/expire Mark a device's node key as expired. This will require the device to re-authenticate in order to connect to the tailnet. The device must belong to the request |
tailscale.tailscale_list_device_routes | Read read | 0 | List device routes Official Tailscale endpoint: GET /device/{deviceId}/routes Retrieve the list of subnet routes that a device is advertising, as well as those that are enabled for it. Routes must be both advertised and enabled for a device |
tailscale.tailscale_set_device_routes | Write write | 0 | Set device routes Official Tailscale endpoint: POST /device/{deviceId}/routes Set a device's enabled subnet routes by replacing the existing list of subnet routes with the supplied parameters. [Advertised routes](/kb/1019/subnets#advertise- |
tailscale.tailscale_authorize_device | Write write | 0 | Authorize device Official Tailscale endpoint: POST /device/{deviceId}/authorized This call marks a device as authorized or revokes its authorization for tailnets where device authorization is required, according to the authorized field in t |
tailscale.tailscale_set_device_name | Write write | 0 | Set device name Official Tailscale endpoint: POST /device/{deviceId}/name When a device is added to a tailnet, its Tailscale [device name](https://tailscale.com/kb/1098/machine-names) (also sometimes referred to as machine name) is generate |
tailscale.tailscale_set_device_tags | Write write | 0 | Set device tags Official Tailscale endpoint: POST /device/{deviceId}/tags Tags let you assign an identity to a device that is separate from human users, and use that identity as part of an ACL to restrict access. Tags are similar to role ac |
tailscale.tailscale_update_device_key | Write write | 0 | Update device key Official Tailscale endpoint: POST /device/{deviceId}/key When a device is added to a tailnet, its key expiry is set according to the tailnet's key expiry setting. If the key is not refreshed and expires, the device can no |
tailscale.tailscale_set_device_ip | Write write | 0 | Set device IPv4 address Official Tailscale endpoint: POST /device/{deviceId}/ip When a device is added to a tailnet, its Tailscale IPv4 address is set at random either from the CGNAT range, or a subset of the CGNAT range specified by an [ip |
tailscale.tailscale_get_device_posture_attributes | Read read | 0 | Get device posture attributes Official Tailscale endpoint: GET /device/{deviceId}/attributes Retrieve all posture attributes for the specified device. This returns a JSON object of all the key-value pairs of posture attributes for the devic |
tailscale.tailscale_set_custom_device_posture_attributes | Write write | 0 | Set custom device posture attributes Official Tailscale endpoint: POST /device/{deviceId}/attributes/{attributeKey} Create or update a custom posture attribute on the specified device. User-managed attributes must be in the custom namespace |
tailscale.tailscale_delete_custom_device_posture_attributes | Write write | 0 | Delete custom device posture attributes Official Tailscale endpoint: DELETE /device/{deviceId}/attributes/{attributeKey} Delete a posture attribute from the specified device. This is only applicable to user-managed posture attributes in the |
tailscale.tailscale_list_device_invites | Read read | 0 | List device invites Official Tailscale endpoint: GET /device/{deviceId}/device-invites List all share invites for a device. OAuth Scope: `device_invites:read`. |
tailscale.tailscale_create_device_invites | Write write | 0 | Create device invites Official Tailscale endpoint: POST /device/{deviceId}/device-invites Create new share invites for a device. Note that device invites cannot be created using an API access token generated from an OAuth client as the shar |
tailscale.tailscale_list_user_invites | Read read | 0 | List user invites Official Tailscale endpoint: GET /tailnet/{tailnet}/user-invites List all open (not yet accepted) user invites to the tailnet. |
tailscale.tailscale_create_user_invites | Write write | 0 | Create user invites Official Tailscale endpoint: POST /tailnet/{tailnet}/user-invites Create, and optionally email out, new user invites to join the tailnet. > ⓘ Only permitted for user-owned keys, because invites require an inviting user |
tailscale.tailscale_get_user_invite | Read read | 0 | Get a user invite Official Tailscale endpoint: GET /user-invites/{userInviteId} Retrieve a specific user invite. |
tailscale.tailscale_delete_user_invite | Write write | 0 | Delete a user invite Official Tailscale endpoint: DELETE /user-invites/{userInviteId} Deletes a specific user invite. > ⓘ Only permitted for user-owned keys, because invites require an inviting user. |
tailscale.tailscale_resend_user_invite | Write write | 0 | Resend a user invite Official Tailscale endpoint: POST /user-invites/{userInviteId}/resend Resend a user invite by email. You can only use this if the specified invite was originally created with an email specified. Refer to [creating user |
tailscale.tailscale_get_device_invite | Read read | 0 | Get a device invite Official Tailscale endpoint: GET /device-invites/{deviceInviteId} Retrieve a specific device invite. OAuth Scope: `device_invites:read`. |
tailscale.tailscale_delete_device_invite | Write write | 0 | Delete a device invite Official Tailscale endpoint: DELETE /device-invites/{deviceInviteId} Delete a specific device invite. OAuth Scope: `device_invites`. |
tailscale.tailscale_resend_device_invite | Write write | 0 | Resend a device invite Official Tailscale endpoint: POST /device-invites/{deviceInviteId}/resend Resend a device invite by email. You can only use this if the specified invite was originally created with an email specified. Refer to [creati |
tailscale.tailscale_accept_device_invite | Write write | 0 | Accept a device invite Official Tailscale endpoint: POST /device-invites/-/accept Accepts the invitation to share a device into the requesting user's tailnet. Note that device invites cannot be accepted using an API access token generated f |
tailscale.tailscale_list_configuration_audit_logs | Read read | 0 | List configuration audit logs Official Tailscale endpoint: GET /tailnet/{tailnet}/logging/configuration List all configuration audit logs for a tailnet. OAuth Scope: `logs:configuration:read`. |
tailscale.tailscale_list_network_flow_logs | Read read | 0 | List network flow logs Official Tailscale endpoint: GET /tailnet/{tailnet}/logging/network List all network flow logs for a tailnet. OAuth Scope: `logs:network:read`. |
tailscale.tailscale_get_log_streaming_status | Read read | 0 | Get log streaming status Official Tailscale endpoint: GET /tailnet/{tailnet}/logging/{logType}/stream/status Retrieve the log streaming status for the provided log type. OAuth Scope: `log_streaming:read`. |
tailscale.tailscale_get_log_streaming_configuration | Read read | 0 | Get log streaming configuration Official Tailscale endpoint: GET /tailnet/{tailnet}/logging/{logType}/stream Retrieve the log streaming configuration for the provided log type. OAuth Scope: `log_streaming:read`. |
tailscale.tailscale_set_log_streaming_configuration | Write write | 0 | Set log streaming configuration Official Tailscale endpoint: PUT /tailnet/{tailnet}/logging/{logType}/stream Set the log streaming configuration for the provided log type. OAuth Scope: `log_streaming`. `device_invites` and `policy_file` are |
tailscale.tailscale_disable_log_streaming | Write write | 0 | Disable log streaming Official Tailscale endpoint: DELETE /tailnet/{tailnet}/logging/{logType}/stream Delete the log streaming configuration for the provided log type. OAuth Scope: `log_streaming`. |
tailscale.tailscale_get_aws_external_id | Write write | 0 | Create or get AWS external id Official Tailscale endpoint: POST /tailnet/{tailnet}/aws-external-id Get an AWS external id to use for streaming tailnet logs to S3 using role-based authentication, creating a new one for this tailnet when nece |
tailscale.tailscale_validate_aws_external_id | Write write | 0 | Validate external ID integration with IAM role trust policy Official Tailscale endpoint: POST /tailnet/{tailnet}/aws-external-id/{id}/validate-aws-trust-policy Validate that Tailscale can assume your IAM role with (and only with) this exter |
tailscale.tailscale_list_dns_nameservers | Read read | 0 | List DNS nameservers Official Tailscale endpoint: GET /tailnet/{tailnet}/dns/nameservers Lists the global DNS nameservers for a tailnet. |
tailscale.tailscale_set_dns_nameservers | Write write | 0 | Set DNS nameservers Official Tailscale endpoint: POST /tailnet/{tailnet}/dns/nameservers Replaces the list of global DNS nameservers for the given tailnet with the list supplied in the request. Note that changing the list of DNS nameservers |
tailscale.tailscale_get_dns_preferences | Read read | 0 | Get DNS preferences Official Tailscale endpoint: GET /tailnet/{tailnet}/dns/preferences Retrieves the DNS preferences that are currently set for the given tailnet. |
tailscale.tailscale_set_dns_preferences | Write write | 0 | Set DNS preferences Official Tailscale endpoint: POST /tailnet/{tailnet}/dns/preferences Set the DNS preferences for a tailnet; specifically, the MagicDNS setting. Note that MagicDNS is dependent on DNS servers. Learn about [MagicDNS](https |
tailscale.tailscale_list_dns_search_paths | Read read | 0 | List DNS search paths Official Tailscale endpoint: GET /tailnet/{tailnet}/dns/searchpaths Retrieves the list of search paths, also referred to as *search domains*, that is currently set for the given tailnet. |
tailscale.tailscale_set_dns_search_paths | Write write | 0 | Set DNS search paths Official Tailscale endpoint: POST /tailnet/{tailnet}/dns/searchpaths Replaces the list of search paths for the given tailnet. |
tailscale.tailscale_get_split_dns | Read read | 0 | Get split DNS Official Tailscale endpoint: GET /tailnet/{tailnet}/dns/split-dns Retrieves the split DNS settings, which is a map from domains to lists of nameservers, that is currently set for the given tailnet. |
tailscale.tailscale_set_split_dns | Write write | 0 | Set split DNS Official Tailscale endpoint: PUT /tailnet/{tailnet}/dns/split-dns Replaces the split DNS settings for a given tailnet. Setting the value of a mapping to `null` clears the nameservers for that domain. Sending an empty object cl |
tailscale.tailscale_update_split_dns | Write write | 0 | Update split DNS Official Tailscale endpoint: PATCH /tailnet/{tailnet}/dns/split-dns Performs partial updates of the split DNS settings for a given tailnet. Only domains specified in the request map will be modified. Setting the value of a |
tailscale.tailscale_get_dns_configuration | Read read | 0 | Get DNS configuration Official Tailscale endpoint: GET /tailnet/{tailnet}/dns/configuration Retrieves the full DNS configuration for a tailnet, including global nameservers, split DNS routes, search paths, and MagicDNS configuration. |
tailscale.tailscale_set_dns_configuration | Write write | 0 | Set DNS configuration Official Tailscale endpoint: POST /tailnet/{tailnet}/dns/configuration Replaces the DNS configuration for the given tailnet. - `nameservers` defines the global resolvers to use when `preferences.overrideLocalDNS` is tr |
tailscale.tailscale_list_tailnet_keys | Read read | 0 | List tailnet keys Official Tailscale endpoint: GET /tailnet/{tailnet}/keys Returns a list of active auth keys, API access tokens and trust credentials. If the parameter {all} was not specified, the set of keys returned depends on the access |
tailscale.tailscale_create_key | Write write | 0 | Create an auth key or trust credential Official Tailscale endpoint: POST /tailnet/{tailnet}/keys Creates a new [auth key](https://tailscale.com/kb/1085/), or [trust credential](https://tailscale.com/kb/1623/) in the specified tailnet. Trust |
tailscale.tailscale_get_key | Read read | 0 | Get key Official Tailscale endpoint: GET /tailnet/{tailnet}/keys/{keyId} Returns a JSON object with information about a specific api access token, OAuth client, federated identity, or auth key, such as its creation and expiration dates and |
tailscale.tailscale_set_key | Write write | 0 | Set key Official Tailscale endpoint: PUT /tailnet/{tailnet}/keys/{keyId} Set the configuration for an existing OAuth client or federated identity. OAuth Scope: `oauth_keys` grants access to OAuth clients. OAuth Scope: `federated_keys` grant |
tailscale.tailscale_delete_key | Write write | 0 | Delete key Official Tailscale endpoint: DELETE /tailnet/{tailnet}/keys/{keyId} Deletes a specific api access token or auth key. OAuth Scope: `api_access_tokens` grants access to personal API access tokens. OAuth Scope: `auth_keys` grants ac |
tailscale.tailscale_get_policy_file | Read read | 0 | Get policy file Official Tailscale endpoint: GET /tailnet/{tailnet}/acl Retrieves the current policy file for the given tailnet; this includes the ACL along with the rules and tests that have been defined. This method can return the policy |
tailscale.tailscale_set_policy_file | Write write | 0 | Set policy file Official Tailscale endpoint: POST /tailnet/{tailnet}/acl Sets the ACL for the given tailnet. HuJSON and JSON are both accepted inputs. An `If-Match` header can be set to avoid missed updates. On success, returns the updated |
tailscale.tailscale_preview_rule_matches | Write write | 0 | Preview rule matches Official Tailscale endpoint: POST /tailnet/{tailnet}/acl/preview When given a user or IP port to match against, returns the tailnet policy rules that apply to that resource, without saving the policy file to the server. |
tailscale.tailscale_validate_and_test_policy_file | Write write | 0 | Validate and test policy file Official Tailscale endpoint: POST /tailnet/{tailnet}/acl/validate This endpoint works in one of two modes, neither of which modifies your current tailnet policy file: - Run ACL tests: When the request body cont |
tailscale.tailscale_get_posture_integrations | Read read | 0 | List all posture integrations Official Tailscale endpoint: GET /tailnet/{tailnet}/posture/integrations List all of the posture integrations for a tailnet. OAuth Scope: `feature_settings:read`. |
tailscale.tailscale_create_posture_integration | Write write | 0 | Create a posture integration Official Tailscale endpoint: POST /tailnet/{tailnet}/posture/integrations Create a posture integration, returning the resulting [PostureIntegration](#model/postureintegration). Must include `provider` and `clien |
tailscale.tailscale_get_posture_integration | Read read | 0 | Get a posture integration Official Tailscale endpoint: GET /posture/integrations/{id} Gets the posture integration identified by `{id}`. OAuth Scope: `feature_settings:read`. |
tailscale.tailscale_update_posture_integration | Write write | 0 | Update a posture integration Official Tailscale endpoint: PATCH /posture/integrations/{id} Updates the posture integration identified by `{id}`. You may omit the `clientSecret` from your request to retain the previously configured `clientSe |
tailscale.tailscale_delete_posture_integration | Write write | 0 | Delete a posture integration Official Tailscale endpoint: DELETE /posture/integrations/{id} Delete a specific posture integration. OAuth Scope: `feature_settings`. |
tailscale.tailscale_list_users | Read read | 0 | List users Official Tailscale endpoint: GET /tailnet/{tailnet}/users List all users of a tailnet. OAuth Scope: `users:read`. |
tailscale.tailscale_get_user | Read read | 0 | Get a user Official Tailscale endpoint: GET /users/{userId} Retrieve details about the specified user. OAuth Scope: `users:read`. |
tailscale.tailscale_update_user_role | Write write | 0 | Update user role Official Tailscale endpoint: POST /users/{userId}/role Update the role for the specified user. Learn more about [user roles](kb/1138/user-roles). OAuth Scope: `users`. > ⓘ User-based access tokens cannot update their own |
tailscale.tailscale_approve_user | Write write | 0 | Approve a user Official Tailscale endpoint: POST /users/{userId}/approve Approve a pending user's access to the tailnet. This is a no-op if user approval has not been enabled for the tailnet, or if the user is already approved. User approva |
tailscale.tailscale_suspend_user | Write write | 0 | Suspend a user Official Tailscale endpoint: POST /users/{userId}/suspend Suspends a user from their tailnet. Learn more about [suspending users](/kb/1145/remove-team-members#suspending-users). OAuth Scope: `users`. > ⓘ User-based access t |
tailscale.tailscale_restore_user | Write write | 0 | Restore a user Official Tailscale endpoint: POST /users/{userId}/restore Restores a suspended user's access to their tailnet. Learn more about [restoring users](/kb/1145/remove-team-members#restoring-users). OAuth Scope: `users`. > ⓘ User |
tailscale.tailscale_delete_user | Write write | 0 | Delete a user Official Tailscale endpoint: POST /users/{userId}/delete Delete a user from their tailnet. Learn more about [deleting users](/kb/1145/remove-team-members#deleting-users). OAuth Scope: `users`. > ⓘ User-based access tokens ca |
tailscale.tailscale_get_contacts | Read read | 0 | Get contacts Official Tailscale endpoint: GET /tailnet/{tailnet}/contacts Retrieve the tailnet's current contacts. OAuth Scope: `account_settings:read`. |
tailscale.tailscale_update_contact | Write write | 0 | Update contact Official Tailscale endpoint: PATCH /tailnet/{tailnet}/contacts/{contactType} Update the preferences for this type of contact. If the email address has changed, the system will send a verification email to confirm the change. |
tailscale.tailscale_resend_contact_verification_email | Write write | 0 | Resend verification email Official Tailscale endpoint: POST /tailnet/{tailnet}/contacts/{contactType}/resend-verification-email Resends the verification email for this contact, if and only if verification is still pending. OAuth Scope: `acc |
tailscale.tailscale_list_webhooks | Read read | 0 | List webhooks Official Tailscale endpoint: GET /tailnet/{tailnet}/webhooks List all webhooks for a tailnet. OAuth Scope: `webhooks:read`. |
tailscale.tailscale_create_webhook | Write write | 0 | Create a webhook Official Tailscale endpoint: POST /tailnet/{tailnet}/webhooks Create a webhook within a tailnet. OAuth Scope: `webhooks`. |
tailscale.tailscale_get_webhook | Read read | 0 | Get webhook Official Tailscale endpoint: GET /webhooks/{endpointId} Retrieve a specific webhook. OAuth Scope: `webhooks:read`. |
tailscale.tailscale_update_webhook | Write write | 0 | Update webhook Official Tailscale endpoint: PATCH /webhooks/{endpointId} Update a specific webhook. OAuth Scope: `webhooks`. |
tailscale.tailscale_delete_webhook | Write write | 0 | Delete webhook Official Tailscale endpoint: DELETE /webhooks/{endpointId} Delete a specific webhook. OAuth Scope: `webhooks`. |
tailscale.tailscale_test_webhook | Write write | 0 | Test a webhook Official Tailscale endpoint: POST /webhooks/{endpointId}/test Test a specific webhook by sending out a test event to the endpoint URL. This endpoint queues the event which is sent out asynchronously. If your webhook is config |
tailscale.tailscale_rotate_webhook_secret | Write write | 0 | Rotate webhook secret Official Tailscale endpoint: POST /webhooks/{endpointId}/rotate Rotate and generate a new secret for a specific webhook. This secret is used for generating the `Tailscale-Webhook-Signature` header in requests sent to t |
tailscale.tailscale_get_tailnet_settings | Read read | 0 | Get tailnet settings Official Tailscale endpoint: GET /tailnet/{tailnet}/settings Retrieve the settings for a specific tailnet. OAuth Scope: `feature_settings:read` - required to view all settings except those governed by the below scopes. |
tailscale.tailscale_update_tailnet_settings | Write write | 0 | Update tailnet settings Official Tailscale endpoint: PATCH /tailnet/{tailnet}/settings Update the settings for a specific tailnet. OAuth Scope: `feature_settings` - required to update all settings except those governed by the below scopes. |
tailscale.tailscale_list_services | Read read | 0 | List all Services Official Tailscale endpoint: GET /tailnet/{tailnet}/services List all Services configured for the tailnet. This includes all Services in the \"advertised\" tab of the Services page in the Tailscale admin console. OAuth Scope |
tailscale.tailscale_get_service | Read read | 0 | Get a Service Official Tailscale endpoint: GET /tailnet/{tailnet}/services/{serviceName} Retrieve the details for the specified Service. OAuth Scope: `services:read`. |
tailscale.tailscale_update_service | Write write | 0 | Update a Service Official Tailscale endpoint: PUT /tailnet/{tailnet}/services/{serviceName} Update or create the specified Service. If the Service does not exist, it will create a Service with the provided details. When creating a new Servi |
tailscale.tailscale_delete_service | Write write | 0 | Delete a Service Official Tailscale endpoint: DELETE /tailnet/{tailnet}/services/{serviceName} Delete the specified Service from the tailnet. OAuth Scope: `services`. |
tailscale.tailscale_list_service_hosts | Read read | 0 | List devices hosting a Service Official Tailscale endpoint: GET /tailnet/{tailnet}/services/{serviceName}/devices List all devices that are hosting the specified Service. OAuth Scope: `services`, `devices:core`. |
tailscale.tailscale_get_service_device_approval | Read read | 0 | Get approval status of Service on a device Official Tailscale endpoint: GET /tailnet/{tailnet}/services/{serviceName}/device/{deviceId}/approved Retrieve the approval status of the specified Service on a specific device. OAuth Scope: `servi |
tailscale.tailscale_update_service_device_approval | Write write | 0 | Update approval status of Service on a device Official Tailscale endpoint: POST /tailnet/{tailnet}/services/{serviceName}/device/{deviceId}/approved Update the approval status of the specified Service on a specific device. OAuth Scope: `ser |