Tailscale API

Last validated:

The Tailscale API is available for all plans.

Tailscale offers an application programming interface (API) to let you automate various aspects of your network.

Visit our interactive API documentation →

Authentication

You need to be an Owner, Admin, IT admin, or Network admin of a tailnet to generate an access token.

Requests to the API are authenticated by using an access token (sometimes called an API key), which can be generated from the Keys page of the admin console. You can choose the number of days, between 1 and 90 inclusive, for the key expiry. Also note that Tailscale-generated API access tokens are case-sensitive.

This access token will automatically expire after the chosen number of days. If you want to continue using an access token after this access token expires, you need to generate a new access tokens. Access tokens can also be revoked before their expiration. Recently expired and revoked access token are shown on the Keys page.

As an alternative to an access token that has full permission to the Tailscale API, use trust credentials to provide delegated fine-grained control to the Tailscale API.

More details about authenticating with the API can be found in our interactive API docs.

Node attributes for provisioned devices

When you create an OAuth app for device provisioning with OAuth apps, the request body accepts an optional allowedNodeAttributes field. It takes an array of custom node attributes to automatically assign to every device provisioned through that OAuth app. Each value must use the custom: prefix (for example, custom:provisioned). Only custom attributes can be allowlisted.

Because these attributes are assigned at provision time, you can reference them in device posture conditions (srcPosture) and in grants to gate access based on how a device was provisioned. For the distinction between attributes that attach to a device and capabilities that attach to a connection, refer to node attributes versus grant app capabilities.