Join us in San Francisco for TailscaleUp!Grab your ticket ->

OAuth on Tailscale

Last validated:

Tailscale supports OAuth for tools and integrations that act on your tailnet. Two mechanisms are available, and they differ in the identity that resulting actions carry:

  • OAuth clients use the client credentials flow. They create tag-owned resources tied to a service identity, and are suited to automation that runs without a person present.
  • OAuth apps use the authorization code flow. A user completes a consent screen, and the resulting authorization carries that individual user's identity.

Explore the following topics to work with OAuth on Tailscale:


OAuth clients

Use OAuth clients to provide ongoing access to the Tailscale API.

OAuth apps

Build internal tools that act on behalf of individual users through a standard OAuth 2.0 authorization code flow, so each action carries the consenting user's identity.

Device provisioning with OAuth apps

Build internal tools that provision tailnet devices on behalf of individual users with a standard OAuth authorization code flow, so each device carries the consenting user's identity.