Technology partner integration guide

Thank you for your interest in becoming a Tailscale technology partner. Before you get started, reach out for a copy of a MNDA for review and signature by both partners.

Depending on the type of integration you are building with Tailscale, it should be possible to build the integration in a self-serve way. That is, with no additional development required from Tailscale.

Once you have built an integration, submit it to us for review.

Types of integrations

Technology partners fall into two categories:

  • “Tailscale runs on” partners. These are services which a user can use Tailscale to access, or a service from which a user uses Tailscale to access an external resource. These include operating systems, compute, hardware, databases, and more.
  • “Tailscale works with” partners. These are services which a user would use with Tailscale, which complement Tailscale to make it work with their existing infrastructure. These include identity providers, logging and monitoring services, infrastructure as code, firewalls, web servers, and more.

You can be both a “Tailscale runs on” and a “Tailscale works with” partner.

Tailscale runs on Tailscale works with
Integration categories
  • Operating systems
  • Cloud providers
  • Serverless apps
  • Kubernetes
  • Containers
  • Databases and warehouses
  • Network attached storage
  • Homelab
  • Identity providers
  • Infrastructure as code
  • Log streaming
  • Notifications
  • Remote development environments
  • Developer tools
  • Mobile shells
  • Firewalls
  • On-demand access providers
  • Web servers
  • DNS filtering
  • Privacy VPNs
  • Secret scanning

See the Integrations page for a list of Tailscale’s current integrations.

When considering how users should connect to or from your service using Tailscale, follow these recommendations in building and documenting your integration.

Tailscale runs on

All “Tailscale runs on” integrations should be possible to build in a self-serve way. If after testing, you find that Tailscale does not work in your environment, let us know and request assistance.

Authentication

There are multiple ways to authenticate a device to Tailscale:

  • A user can log in. This requires having access to a browser to sign in. This is recommended where the device is an end user device, for example, a user’s personal hardware appliance.

  • An auth key can be used to authenticate a new device. This does not require the user to log in, but must first be generated from the Tailscale admin console. This is recommended where the device is a server. In this case, it is also recommended to use a tagged auth key.

    An auth key expires either after 90 days or immediately after use; there are no long-lived auth keys. To have persistent access to an auth key, for example, to programmatically and continuously add multiple devices, use an OAuth client with the scope devices and scoped to a particular tag for your service, for example, tag:database.

  • An OAuth client can be used to generate auth keys to authenticate new devices. This is recommended where multiple devices need to be authenticated and added continuously.

Generally speaking, you should use an OAuth client with the scope devices for authentication. Some cases where that may not be true:

  • If the user is logging in to Tailscale running on an end user device: Ask users to log in directly if it is not a shared device, such as a phone or tablet, and encourage them to use a one-off tagged auth key if it is a shared device, such as a NAS or smart TV.
  • If the user is setting up access to a service which can persist state across failures (for example, a VM), and only needs to set up this access a single time as part of initial access: Use a one-off tagged auth key for a single device and a reusable tagged auth key for multiple devices.
API access

Similar to auth keys, API keys expire after 90 days, or the length of time specified; there are no long-lived API keys. To have persistent access to an API key, use an OAuth client with the appropriate scope.

API scopes

When asking a user to generate an API key or OAuth client, you should only ask for the minimum permissions or scopes required for the integration to operate:

  • To create new auth keys, and add devices, use the devices scope.
  • To add new tags, use the acl scope.
Containerized services

If your service runs in containers or functions, where the user may not have access to the kernel, and specifically /dev/net/tun, you can run Tailscale in userspace networking mode. When running in userspace networking mode, tailscaled functions as a SOCKS5 or HTTP proxy which other processes in the container can connect through.

When running Tailscale in containers or functions, where the environment is short-lived, you should use ephemeral nodes. This will remove nodes which are no longer active from the tailnet. You can authenticate ephemeral nodes using an ephemeral auth key.

Ephemeral nodes will not keep state across restarts, that is, when a container for the same service restarts, it will have a new Tailscale IP address.

If your service needs to persist state across container restarts, then specify a location to store state by using tailscaled –statedir= for a directory or tailscaled –state= for a path to a file.

Hosted services

If your service is a hosted service that you run for your users, you will need to run Tailscale or allow your users to run Tailscale (such as in userspace networking mode) to access the service directly over Tailscale.

Otherwise, your users can use Tailscale to access the service using app connectors, by specifying the domains at which to access your service.

User interface

If your service is running on a Linux or BSD-based device that does not have a native application GUI, the Tailscale web interface is a browser-based GUI you can make available to users to manage the use of Tailscale on your service.

To use the Tailscale web interface, enable it via CLI using tailscale web.

Tailscale works with

Some, but not all “Tailscale works with” integration categories are available self-serve — that is, the partner can complete them without any additional development needed from Tailscale. Other integration categories require additional development and help from Tailscale.

Identity providers

Tailscale should work with most identity providers in a self-serve way.

Any identity providers that support OpenID Connect should work with Tailscale’s support for custom OIDC providers. Follow the instructions for identity provider setup.

Infrastructure as code

Tailscale should work with most infrastructure as code providers in a self-serve way.

Infrastructure as code providers can query all information in the Tailscale API. To read all information via API, use an OAuth client with the all:read scope.

Log streaming

Tailscale should work with most security information and event management (SIEM) systems in a self-serve way. If you support log streaming to popular SIEMs such as Splunk, Datadog, Panther, or Elasticsearch, they should work with Tailscale. Configure a log streaming destination with the URL and token to provide Tailscale with write access to the SIEM. If after testing, you find that Tailscale does not work in your environment, let us know and request assistance.

To access configuration audit logs via API, use an OAuth client with the logs:read scope. To access network flow logs via API, use an OAuth client with the network-logs:read scope.

Notifications

Contact Tailscale to work together to build an integration.

Remote development environments

Tailscale should be able to run in most remote development environments in a self-serve way. If after testing, you find that Tailscale does not work in your environment, let us know and request assistance.

Developer tools

Tailscale should be able to run in most developer tools in a self-serve way. If after testing, you find that Tailscale does not work in your environment, let us know and request assistance.

Mobile shells

Tailscale should be able to work with most mobile shells in a self-serve way. If after testing, you find that Tailscale does not work in your environment, let us know and request assistance.

Firewalls

Tailscale should be able to work with most firewalls in a self-serve way.

If Tailscale does not connect directly, but connects via DERP, then consider opening a port, randomizing a port, or enabling NAT-PMP. If after testing, you find that Tailscale does not work in your environment, let us know and request assistance.

On-demand access providers

Tailscale should be able to work with most on-demand access providers in a self-serve way.

You can support changes to group membership and individuals’ access to Tailscale by changing application assignments in the identity provider and syncing these via SCIM using user & group provisioning. In this case, no additional integration is required with Tailscale, and the changes occur in the identity provider.

You can also support changes to access rules and group membership by changing individual access rules in Tailscale. To update access rules via API, use an OAuth client with the acl scope.

Tailscale user roles cannot currently be assigned or updated via API.

Web servers

Tailscale should be able to work with most web servers in a self-serve way. If after testing, you find that Tailscale does not work with your product, let us know and request assistance.

DNS filtering

Contact Tailscale to work together to build an integration.

Privacy VPNs

Contact Tailscale to work together to build an integration.

Secret scanning

Tailscale keys follow a standard format to simplify detection.

Tailscale should be able to work with most secret scanners in a self-serve way.

Specialize in something else?

Reach out to Tailscale’s partnerships team to explore building an integration.

Partnership FAQs

Will Tailscale participate in co-marketing with me?

We’re excited to partner and for our mutual customers to benefit from integrations with our robust ecosystem of partners. Once you publish your integration, Tailscale can commit to the following co-marketing activities:

  • Tailscale will repost your blog post on our corporate social media accounts (that is, LinkedIn)
  • Tailscale will mention our new integration in our monthly newsletter
  • We’ll add your integration to our Integrations page

We may also add your integration documentation to our Knowledge Base.

Beyond that, we can discuss what other go-to-market activities are feasible. Additional GtM activities are dependent on other pre-existing priorities. If there’s something else you’d like to do, we would love to hear it!

What resources can I use for co-marketing?

Download our press kit from our press page for Tailscale logos and screenshots.

How do I submit my integration for review by Tailscale?

When you’re ready to submit your integration for review, provide the following information:

  1. Description of the integration or sample application your team built
  2. A link to a test account or instructions on how to download a test account so that Tailscale can test the functionality of the integration
  3. A link to your Knowledge Base article or a link to a draft of the KB article, such as a staged link, Google Docs link, or .docx file (example 1, 2, 3)
  4. If participating in any co-marketing, a draft of the blog post or other marketing materials for review by the Tailscale team (example 1, 2, 3)

How does the review process work?

  • Send the above components in a .zip or Google Drive Folder to the Tailscale team (partnerships@tailscale.com)
  • Our team will review and provide any feedback within 3 business days of your submission
  • Once reviewed and approved by Tailscale, let us know your timing on the launch and any marketing you’re planning and in order to ensure we can accommodate requests around reposting blog posts, mentions in our monthly newsletter, etc.
Can we be a Tailscale reseller, or get a referral fee for selling Tailscale to our users?

Tailscale does not currently have a formal MSP / Reseller program. This is something we’re working toward to provide to companies interested in reselling and managing Tailscale on behalf of their end customers.

Fill out our partnerships interest form and someone from the Tailscale team will be in touch to discuss referral / reseller arrangements.

How can we get access to a test account to build an integration?

Tailscale cannot create test accounts for you.

Instead,

  1. Sign up for Tailscale with a test domain and identity provider of your choice. If you do not have another domain / tailnet you can use for testing, create a subdomain, for example, tailscale.example.com, which will allow you to create a separate tailnet.
  2. Contact our partnerships team with the name of the tailnet you are using, and we will allowlist that tailnet for testing purposes. We will also need this tailnet name to give you access to any pre-release features.
How do we request new API functionality we need for our integration?

Tailscale’s API documentation includes public API endpoints that you can use as part of your integration.

If you are missing additional functionality for building your integration, but this information is already available in another way (for example, it is available or configurable in the Tailscale admin console), we can likely make it available to you via API. If you need additional functionality that is otherwise not available, we may consider making it available to you via API. Making additional functionality available via API is dependent on other pre-existing priorities.

To request additional API functionality, contact our partnerships team.

How do we request new OAuth scopes we need for our integration?

Tailscale’s OAuth scopes include scopes for read and write access to various parts of the Tailscale API. If you are not able to complete your integration with a scope other than all, but do not need access to the entire API surface, let us know.

To request additional OAuth scopes, contact our partnerships team.