Get started
© 2024

On-demand access with Opal

Opal is a centralized authorization platform for IT and infrastructure teams to make access management requests self-service.

On-demand access to Tailscale resources can be provisioned using Opal. This works by adding and removing members from SSH access rules for ACL tags in Tailscale access control lists (ACLs).

Opal can be used with user & group provisioning to update SCIM-integrated group membership in groups used in Tailscale ACLs. Likewise, Opal can be used to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.


Before you begin this guide, you’ll need a tailnet and an Opal account.

  • For information about creating a tailnet, see the Tailscale quickstart.

  • For information about creating an Opal account, see Opal.


See the full instructions in Opal’s blog post for setting up an integration with Tailscale.

To use Opal with Tailscale, you’ll need to:

  1. Generate a Tailscale API access token from the Keys page of the admin console.
  2. In Opal, add Tailscale as a new application.
    1. Set the App Admin to the team that should manage the Tailscale app in Opal.
    2. Enter a Description of how you use Tailscale, so colleagues know what they’re requesting access to. For example, “SSH access to the production network”.
    3. Set the Tailnet name to be your tailnet’s organization. For example,,, example.github, or You can find your organization in the Settings page of the admin console.
    4. Set the Tailscale API key to the Tailscale API access token you generated.
  3. Determine which Tailscale ACL tags should be imported into Opal. This is done by the App Admin. For each ACL tag that is selected, Opal will automatically parse the existing access rules and SSH access rules that apply to that tag, and which groups have access to the tagged sources using those rules.

Now a user can request access or SSH access to a specific tag in Tailscale, and Opal will update the tailnet policy file to allow the temporary access.