· updated April 20, 2026
99 tools covering the full Tailscale v2 API - devices, ACLs, DNS, auth keys, users, webhooks, workload identity, OAuth clients, and more - from any MCP-compatible AI assistant.
If you use Tailscale, you've spent time in the admin console clicking through devices, editing ACL policies, managing DNS settings, and creating auth keys. It works, but it's a context switch every time. And for anything beyond the most common operations - workload identity, posture integrations, log streaming, audit forensics - you either live in the API docs or give up and do it manually.
tailscale-mcp is an MCP server that gives your AI assistant direct access to every corner of the Tailscale API. Ask Claude Code (or Cursor, or Claude Desktop, or any MCP-speaking client) to list your devices, draft an ACL change, check DNS settings, or create an auth key - and it does it. No tab switching, no copy-pasting node IDs, no remembering that the field is keyExpiryDisabled and not disableKeyExpiry.
Add it to your MCP client config:
{
"mcpServers": {
"tailscale": {
"command": "npx",
"args": ["-y", "@yawlabs/tailscale-mcp"],
"env": {
"TAILSCALE_API_KEY": "tskey-api-..."
}
}
}
}
That's the entire setup. No config files, no install steps, no daemon to run. It auto-detects your tailnet and starts responding to requests immediately. OAuth is supported too - set TAILSCALE_OAUTH_CLIENT_ID and TAILSCALE_OAUTH_CLIENT_SECRET instead if you want scoped access.
99 tools is a lot. If you already run a handful of MCP servers, you probably don't want another dumping 99 tool descriptions into your client's context window. Three orthogonal knobs let you subset what loads:
TAILSCALE_PROFILE=minimal - 19 tools. Status, devices, audit log. Observation only.TAILSCALE_PROFILE=core - 46 tools. Adds ACL, DNS, auth keys, users. The day-to-day admin surface.TAILSCALE_PROFILE=full - all 99 tools. Default if the env var is unset.For explicit control, TAILSCALE_TOOLS=devices,acl,audit loads only the named groups. To cap mutations entirely, TAILSCALE_READONLY=1 intersects with whichever profile or tool list you've set, dropping every tool that doesn't have readOnlyHint: true. A good starting position for people new to handing tailnet access to an agent is TAILSCALE_PROFILE=core with TAILSCALE_READONLY=1.
The server covers the full Tailscale v2 API across 99 tools, grouped into sixteen areas:
List all devices on your tailnet, authorize or expire one, rename it, manage subnet routes, update tags, batch-update posture attributes, set a device IP, disable key expiry for servers. When you're onboarding a new machine and need to approve it, enable routes, and tag it - that's one conversation instead of three admin console pages.
Read and update your ACL policy with full HuJSON support - comments, trailing commas, and formatting are preserved through the round-trip. Every write uses ETag-based concurrency control, so two edits racing for the policy don't silently overwrite each other. You can also validate a proposed policy before applying it and preview which rules would match for a specific user or IP.
Manage nameservers, search paths, split DNS, and MagicDNS preferences, either individually or through unified get/set tools that read and write the full DNS configuration in one call. Add a split DNS entry for an internal domain without opening the admin console.
Create, list, inspect, update, and delete authentication keys. Useful when scripting device enrollment, rotating CI credentials, or auditing what's still out there.
List and inspect users, approve pending users, update roles (owner, admin, member), suspend or restore access, delete users and their devices.
View and update tailnet-wide settings - HTTPS certificates, device approval, auto-updates, key expiry, posture enforcement, regional routing, network flow logging, external ACL management. Manage admin contacts separately.
Create, list, update, delete, and test webhook subscriptions. Rotate a webhook secret in place. Set up notifications for device events, user changes, or policy updates without touching the admin console.
Pull the configuration audit log (who changed what, when) and network flow logs (traffic between devices). When you're investigating an incident and need to know what changed in a window, query it from the same terminal where you're debugging.
Configure where Tailscale sends its audit and network logs - Axiom, Datadog, Splunk, S3, any HTTP endpoint. Check delivery status, validate an AWS IAM trust policy, get or create an AWS external ID for S3 streaming.
Manage OIDC workload identity providers for GitHub Actions, GitLab CI, and other federated CI systems that authenticate to Tailscale without shipping long-lived credentials.
Create and manage OAuth clients for programmatic API access with scoped permissions.
Manage device posture integrations with CrowdStrike, SentinelOne, Intune, and other endpoint security providers. Posture attributes on devices feed into ACL decisions.
List, inspect, update, and delete Tailscale Services. Manage which devices are approved to host a service.
Device invites for sharing a device across tailnets, user invites for onboarding new members. Create, list, get, resend, delete, accept - all six operations on both types.
Check tailnet lock status and view trusted signing keys.
Managing network infrastructure from an AI assistant sounds risky. tailscale-mcp is built with that in mind -- and on the agent side, the discipline that gates destructive tool calls before they fire is what Claude Code hooks exist for, covered in Claude Code in Production:
readOnlyHint, destructiveHint, and idempotentHint so your MCP client can gate confirmations the way you configured it. Reads don't prompt, writes do, destructive operations require explicit approval.tag:, posture attributes with custom:, dates in RFC3339. Malformed requests fail early with clear errors.npm test locally to confirm.tailscale-mcp uses the standard Model Context Protocol, so it works with Claude Code, Cursor, Claude Desktop, VS Code, Windsurf, and any other MCP-compatible client. If you use yaw terminal, the Tailscale integration goes even deeper - yaw's connection manager auto-detects Tailscale nodes on your tailnet for one-click SSH connections, and you can use tailscale-mcp from yaw's built-in AI assistant in the same window.
If you'd rather not run MCP servers locally, mcp.hosting lets you deploy and manage MCP servers in the cloud - including tailscale-mcp. It handles compliance testing, session proxying via the session proxy spec, and hosting so your tools stay available without a local process running. Server-side profile filtering composes cleanly with mcp.hosting's per-conversation tool activation - set TAILSCALE_PROFILE=core on the server and let mcp.hosting narrow further per conversation.
You could use the Tailscale API directly with curl. But the value of an MCP server is that the agent can compose. When you say "authorize the new staging server and enable its subnet routes," the agent lists devices, finds the one you mean, authorizes it, and updates its routes - without you looking up the device ID or remembering which endpoints are involved. When you say "which devices haven't checked in for 30 days and have key expiry disabled," that's a projection, a filter, and a format step - three things a shell script can do but that the agent just does.
For a walkthrough of five audits this server answers in one prompt - with the design choices that keep the composition safe - see Five Tailscale Audits I Now Answer in One Prompt.
The agent handles the plumbing. You describe the outcome.
npx @yawlabs/tailscale-mcp
Published by Yaw Labs.