Devices, ACLs, DNS, auth keys, users, webhooks — all from your AI assistant.
If you use Tailscale, you've spent time in the admin console clicking through devices, editing ACL policies, managing DNS settings, and creating auth keys. It works, but it's a context switch every time.
tailscale-mcp is an MCP server that gives your AI assistant direct access to the Tailscale API. Ask Claude Code to list your devices, update an ACL policy, check DNS settings, or create an auth key — and it just does it. No tab switching, no copy-pasting node IDs.
Add it to your MCP config and you're done:
{
"mcpServers": {
"tailscale": {
"command": "npx",
"args": ["-y", "@yawlabs/tailscale-mcp"],
"env": {
"TAILSCALE_API_KEY": "tskey-api-..."
}
}
}
}
That's the entire setup. No config files, no install steps, no daemon to run. It auto-detects your tailnet and starts responding to requests immediately.
tailscale-mcp covers ten areas of the Tailscale API:
List all devices on your tailnet, authorize or expire a device, rename it, manage route settings, update tags, and set posture attributes. When you're onboarding a new server and need to approve it, enable subnet routes, and tag it — that's one conversation instead of three admin console pages.
Read and update your ACL policy with full HuJSON support — comments, trailing commas, and formatting are preserved. Every write uses ETag-based concurrency control, so concurrent edits don't silently overwrite each other. You can also validate policy changes before applying them and preview which rules would match for specific users.
Manage nameservers, search paths, split DNS configurations, and MagicDNS preferences. Need to add a new split DNS entry for an internal domain? Ask your agent.
Create, list, inspect, and delete authentication keys. Useful when scripting device enrollment or rotating keys for CI/CD pipelines.
Manage user lifecycle — list users, get details, update roles, approve pending users, suspend or restore access.
View and update tailnet-wide settings and manage admin contacts.
Create, list, update, delete, and test webhook subscriptions. Set up notifications for device events, user changes, or policy updates without visiting the admin console.
Pull audit logs and network flow logs. When you're investigating an incident and need to know who changed what and when, you can query the audit log from the same terminal where you're debugging.
Check network lock status, view trusted signing keys, and manage device posture integrations with providers like CrowdStrike, SentinelOne, and Intune.
Managing network infrastructure from an AI assistant sounds risky. tailscale-mcp is built with that in mind:
tailscale-mcp uses the standard Model Context Protocol, so it works with Claude Code, Cursor, and any other MCP-compatible client. If you use yaw terminal, the Tailscale integration goes even deeper — yaw's connection manager auto-detects Tailscale nodes on your tailnet for one-click SSH connections, and you can use tailscale-mcp from yaw's built-in AI assistant in the same window.
If you'd rather not run MCP servers locally, mcp.hosting lets you deploy and manage MCP servers in the cloud — including tailscale-mcp. It handles compliance testing, session proxying via the session proxy spec, and hosting so your tools stay available without a local process running.
You could use the Tailscale API directly with curl. But the value of an MCP server is that the AI assistant understands the context of what you're doing. When you say "authorize the new staging server and enable its subnet routes," the agent knows to list devices, find the one you mean, authorize it, and then update its route settings — without you looking up the device ID or remembering the exact API endpoints.
The agent handles the plumbing. You describe the outcome.
npx @yawlabs/tailscale-mcp
Published by Yaw Labs.
Interested in AI tools and developer workflows? Token Limit News is our weekly newsletter.