Get started
Login
© 2024

OAuth clients

OAuth clients provide a framework for delegated and scoped access to the Tailscale API. An OAuth client creates access tokens for scoped API access, instead of using a fully-permitted access token which expires after 90 days (or less if the fully-permitted access token has a shorter expiry). OAuth clients support the principle of least privilege by allowing fine-grained control on the access granted to the client using scopes, unlike a fully-permitted access token which grants full access to the Tailscale API.

How it works

You create an OAuth client that defines the scopes to allow when your client application uses the Tailscale API. An example scope is dns:read, which grants read-only access to a tailnet's DNS settings. Another example is the devices:core scope, which grants access to read and write the list of devices in the tailnet, authorize or remove machines, and manipulate tags on devices.

Scopes are restricted to only the necessary Tailscale API endpoints needed for an operation. For example, tokens with the dns:read scope can access only the following Tailscale API endpoints:

  • GET /api/v2/tailnet/:tailnet/dns/nameservers
  • GET /api/v2/tailnet/:tailnet/dns/preferences
  • GET /api/v2/tailnet/:tailnet/dns/searchpaths
  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

An OAuth client consists of a client ID and a client secret. When you create an OAuth client, Tailscale creates these for you. Within your client application, use the client ID and client secret to request an API access token from the Tailscale OAuth token endpoint. You use the access token to make calls to the Tailscale API. The access token grants permission only for the scopes that were defined when you created the OAuth client.

An API access token expires after one hour. For continuous access, shortly before an API access token expires, request a new API access token from the Tailscale OAuth token endpoint.

OAuth client libraries in popular programming languages can handle the API access token generation and renewal.

The Tailscale OAuth implementation is based on the OAuth 2.0 protocol.

Prerequisites

You need to be an Owner, Admin, Network admin, or IT admin of a tailnet in order to create, revoke, or delete OAuth clients.

Owners and Admins can create an OAuth client with any scope and any tag that is in the tailnet. Other users can create an OAuth client with only the scopes and tags for which they have permissions. For example, a Network Admin cannot grant the devices:core scope, but an IT admin can.

Setting up an OAuth client

  1. Open the OAuth clients page of the admin console.

  2. In the Generate OAuth client page, select the set of operations that can be performed with tokens created by the new OAuth client. For a given operation, select Read or Write. For a description of the operations, see Scopes.

    The 'Generate OAuth client' page in the admin console
  3. Select Generate client.

  4. In the Generated new OAuth client page, you can see the new OAuth client's ID and secret. Copy both the client ID and secret, as you need them for your client code. Note that after you close the Generated new OAuth client page, you won't be able to copy the secret again.

    Store the client secret securely.

    The 'Generate OAuth client' page in the admin console
  5. Select Done.

    Your OAuth client is now configured. Use the client ID and secret when you configure your OAuth client application. Note that Tailscale-generated OAuth client secrets are case-sensitive.

If an OAuth client is created by a user who is later removed or suspended from your tailnet, the OAuth client will continue to function and generate API access tokens. Admins can see all configured OAuth clients in the OAuth clients page of the admin console.

Scopes

Our OAuth scopes have changed to have more granular permissions associated with each scope. The previous set of OAuth scopes can be found in the legacy scopes section.

Scopes define which operations are permitted in API access tokens that are created by your client application.

In addition to the endpoints listed below, all scopes allow access to GET /api/v2/tailnet/:tailnet/keys/:keyID for the key in use.

You can use the following scopes in Tailscale OAuth clients:

Scope IDDescriptionAllowed endpoints
all:readThe client has read-only access to the tailnet. This scope is not restricted to only read access of APIs that existed at the time the client was initially authorized—the all:read scope also grants read access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All *:read endpoints, even endpoints which did not exist when the client was initially authorized.
  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
allThe client has complete access to the tailnet. This scope is not restricted to only access of APIs that existed at the time the client was initially authorized—the all scope also grants access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All endpoints, even endpoints which did not exist when the client was initially authorized.
  • GET, DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
dns:readThe client has access to read DNS settings.
  • GET /api/v2/tailnet/:tailnet/dns/nameservers
  • GET /api/v2/tailnet/:tailnet/dns/preferences
  • GET /api/v2/tailnet/:tailnet/dns/searchpaths
  • GET /api/v2/tailnet/:tailnet/dns/split-dns
dnsThe client has access to read and manipulate DNS settings.
  • Endpoints from dns:read

  • POST /api/v2/tailnet/:tailnet/dns/nameservers
  • POST /api/v2/tailnet/:tailnet/dns/preferences
  • POST /api/v2/tailnet/:tailnet/dns/searchpaths
  • PATCH, PUT /api/v2/tailnet/:tailnet/dns/split-dns
policy_file:read

The client has access to read and validate the tailnet policy file. devices:posture_attributes:read and devices:core:read are required when using this scope.

  • GET /api/v2/tailnet/:tailnet/acl
  • POST /api/v2/tailnet/:tailnet/acl/preview
  • POST /api/v2/tailnet/:tailnet/acl/validate
policy_file

The client has access to read, validate, and modify the tailnet policy file. devices:posture_attributes and devices:core:read are required when using this scope.

  • Endpoints from policy_file:read

  • POST /api/v2/tailnet/:tailnet/acl
users:readThe client has access to read user information.
  • GET /api/v2/tailnet/:tailnet/users
  • GET /api/v2/user/:userID
usersThe client has access to read user information, modify user roles, and handle user approval, suspension, deletion, and restoration.
  • Endpoints from user:read

  • POST /api/v2/user/:userID/role
  • POST /api/v2/user/:userID/approve
  • POST /api/v2/user/:userID/suspend
  • POST /api/v2/user/:userID/restore
  • POST /api/v2/user/:userID/delete
devices:core:readThe client has access to read devices in the tailnet.
  • GET /api/v2/tailnet/:tailnet/devices
  • GET /api/v2/device/:deviceID
devices:core

The client has access to read the list of devices in the tailnet, authorize or remove machines, and manipulate tags on devices. You must select one or more tags when you create a client with the devices:core scope. Auth keys created with this client must have those exact tags, or tags owned by the client's tags

  • Endpoints from devices:core:read

  • DELETE /api/v2/device/:deviceID
  • POST /api/v2/device/:deviceID/authorized
  • POST /api/v2/device/:deviceID/expire
  • POST /api/v2/device/:deviceID/ip
  • POST /api/v2/device/:deviceID/name
  • POST /api/v2/device/:deviceID/key
  • POST /api/v2/device/:deviceID/tags
devices:posture_attributes:readThe client has access to read device posture attributes.
  • GET /api/v2/device/:deviceID/attributes
  • GET /api/v2/device/:deviceID/attributes/:attributeKey
devices:posture_attributes

The client has access to manipulate and read device posture attributes.

  • Endpoints from devices:posture_attributes:read

  • POST, DELETE /api/v2/device/:deviceID/attributes
  • POST, DELETE /api/v2/device/:deviceID/attributes/:attributeKey
devices:routes:readThe client has access to read subnet router settings and exit node settings.
  • GET /api/v2/device/:deviceID/routes
devices:routesThe client has access to read or modify subnet router settings, approve and revoke subnet routes, and approve and revoke exit nodes.
  • Endpoints from devices:routes:read

  • POST /api/v2/device/:deviceID/routes
devices_invites:readThe client has access to read device invites.
  • GET /api/v2/device/:deviceID/device-invites
  • GET /api/v2/device-invites/:deviceInviteID
devices_invitesThe client has access to read or modify device invites.
  • Endpoints from device_invites:read

  • GET /api/v2/device/:deviceID/device-invites
  • GET, DELETE /api/v2/device-invites/:deviceInviteID
api_access_tokens:readThe client has access to read API access tokens.
  • GET /api/v2/tailnet/:tailnet/keys (for API access tokens)

  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for API access tokens)

api_access_tokensThe client has access to read or modify API access tokens.
  • Endpoints from api_access_tokens:read

  • DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for API access tokens)

auth_keys:readThe client has access to read auth keys.
  • GET /api/v2/tailnet/:tailnet/keys (for auth keys)

  • GET /api/v2/tailnet/:tailnet/keys/:keyID (for auth keys)

auth_keysThe client has access to read or modify auth keys.
  • Endpoints from auth_keys:read

  • POST /api/v2/tailnet/:tailnet/keys (for auth keys)

  • DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for auth keys)

oauth_keys:readThe client has access to read OAuth clients and keys.
  • GET /api/v2/tailnet/:tailnet/keys/:keyID (only OAuth clients and OAuth keys

oauth_keysThe client has access to read or modify OAuth clients and keys.
  • Endpoints from oauth_keys:read

  • DELETE /api/v2/tailnet/:tailnet/keys/:keyID (for OAuth clients and OAuth keys)

webhooks:readThe client has access to read webhooks.
  • GET /api/v2/tailnet/:tailnet/webhooks
  • GET /api/v2/webhooks/:endpointID
webhooksThe client has access to read, modify, and test webhooks and to rotate webhook secrets.
  • Endpoints from webhooks:read

  • POST /api/v2/tailnet/:tailnet/webhooks
  • PATCH, DELETE /api/v2/webhooks/:endpointID
  • POST /api/v2/webhooks/:endpointID/test
  • POST /api/v2/webhooks/:endpointID/rotate
log_streaming:readThe client has access to read log streaming configurations and their status.
  • GET /api/v2/tailnet/:tailnet/logging/:logType/stream
  • GET /api/v2/tailnet/:tailnet/logging/:logType/status
log_streaming

The client has access to read or modify log streaming configurations and see their status. device_invites and policy_file are required when configuring log streaming to a private endpoint.

  • Endpoints from logstreaming:read

  • PUT, DELETE /api/v2/tailnet/:tailnet/logging/:logType/stream
logs:configuration:readThe client has access to read configuration audit logs.
  • GET /api/v2/tailnet/:tailnet/logging/configuration
logs:network:readThe client has access to read network flow logs.
  • GET /api/v2/tailnet/:tailnet/logging/network
  • GET /api/v2/tailnet/:tailnet/settings
logs:networkThe client has access to read network flow logs and modify their settings.
  • Endpoints from logs:network:read

  • PATCH /api/v2/tailnet/:tailnet/settings (for network logging only)

account_settings:readThe client has access to read Tailnet contacts.
  • GET /api/v2/tailnet/:tailnet/contacts
account_settingsThe client has access to read or modify Tailnet contacts, and to resend verification emails.
  • Endpoints from account_settings:read

  • PATCH /api/v2/tailnet/:tailnet/contacts/:contactType
  • POST /api/v2/tailnet/:tailnet/contacts/:contactType/resend-verification-email
feature_settings:readThe client has access to read posture integrations and Tailnet feature settings.
  • GET /api/v2/tailnet/:tailnet/posture/integrations
  • GET /api/v2/posture/integrations/:integrationID
  • GET /api/v2/tailnet/:tailnet/settings
feature_settingsThe client has access to read or modify posture integrations and Tailnet feature settings.
  • Endpoints from feature_settings:read

  • POST /api/v2/tailnet/:tailnet/posture/integrations
  • PATCH, DELETE /api/v2/posture/integrations/:integrationID
  • PATCH /api/v2/tailnet/:tailnet/settings

When new Tailscale functionality is provided, we will add it to existing scopes where applicable. That means a scope is not restricted to only access of APIs that existed at the time the client was initially authorized—a scope will contain additional access where it makes sense for new or updated functionality.

You can find documentation for the Tailscale API on our website

Revoking an OAuth client

  1. Open the OAuth clients page of the admin console.

  2. Find the OAuth client that you want to delete and select Revoke.

  3. Select Revoke OAuth client to confirm you want to revoke the OAuth client.

When you revoke an OAuth client, any active API access tokens that were created by the client are also revoked.

Tailscale OAuth token endpoint

The Tailscale OAuth token endpoint is https://api.tailscale.com/api/v2/oauth/token.

Make requests to the Tailscale OAuth token endpoint when you need an API access token. The Tailscale OAuth token endpoint accepts requests that conform to the OAuth 2.0 client credentials grant request format, and returns responses that conform to the OAuth 2.0 client credentials grant response format.

Requests to the OAuth token endpoint can include scope and tags request parameters, which specify space-delimited lists of requested scopes and tags, respectively. The OAuth client must have permission to grant the requested scopes and tags. For example, an OAuth client with the all scope (which grants all other scopes as well as all device tags) could be used to request an access token with the devices:core scope and the tag:server tag. Tags are only relevant for tokens with the devices:core, auth_keys, or all scopes, and will be ignored if none of these scopes are present. The tags parameter is not part of the OAuth 2.0 specificaion, and may not be supported by all OAuth clients.

OAuth client libraries

Popular programming languages provide OAuth client libraries to simplify your use of OAuth clients. Here are several:

For example, the following Go code shows how to create an OAuth client object that uses your client ID and client secret to generate an API access token for calls to the Tailscale API:

package main

import (
        "context"
        "fmt"
        "io/ioutil"
        "log"
        "os"

        "golang.org/x/oauth2/clientcredentials"
)

func main() {
        var oauthConfig = &clientcredentials.Config{
                ClientID:     os.Getenv("OAUTH_CLIENT_ID"),
                ClientSecret: os.Getenv("OAUTH_CLIENT_SECRET"),
                TokenURL:     "https://api.tailscale.com/api/v2/oauth/token",
        }

        client := oauthConfig.Client(context.Background())
        // Replace example.com with your tailnet name.
        resp, err := client.Get("https://api.tailscale.com/api/v2/tailnet/example.com/devices")
        if err != nil {
                log.Fatalf("error getting keys: %v", err)
        }

        body, err := ioutil.ReadAll(resp.Body)
        if err != nil {
                log.Fatalf("error reading response body: %v", err)
        }

        fmt.Printf("response: %s", string(body))
}

The example requires that you define environment variables OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET, with their values set to the client ID and client secret that are created when you set up an OAuth client.

Verifying you can generate API access tokens

After you set up an OAuth client, an easy way to confirm that you can generate API access tokens is to make a curl request to the Tailscale OAuth token endpoint.

 curl -d "client_id=${OAUTH_CLIENT_ID}" -d "client_secret=${OAUTH_CLIENT_SECRET}" \
     "https://api.tailscale.com/api/v2/oauth/token"

The example requires that you define environment variables OAUTH_CLIENT_ID and OAUTH_CLIENT_SECRET, with their values set to your client ID and client secret.

Here's an example response showing the API access token:

{"access_token":"tskey-0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ","token_type":"Bearer","expires_in":3600,"scope":"devices"}

Generating long-lived auth keys

You cannot generate long-lived auth keys, because they expire after 90 days, or, for one-off keys, once they are used.

Instead of a long-lived auth key, you can generate an OAuth client with the auth_keys scope. Use the OAuth client to generate new auth keys as needed, by making a POST request to the /api/v2/tailnet/:tailnet/keys API method. When you create an OAuth client with the scope auth_keys, you must select one or more tags, which can be any tag or set of tags in your tailnet. Additionally, these tags need to be specified in the API call.

When you use an access token to make an API call, you can optionally use the value - as the tailnet name—you do not need to specify the tailnet name.

For example, this command:

curl -u $ACCESS_TOKEN: "https://api.tailscale.com/api/v2/tailnet/example.com/devices"

could be written as:

curl -u $ACCESS_TOKEN: "https://api.tailscale.com/api/v2/tailnet/-/devices"

as long as the access token is owned by the example.com tailnet.

You can also include the access token in the request header by using the -H option:

curl -H "Authorization: Bearer $ACCESS_TOKEN" "https://api.tailscale.com/api/v2/tailnet/-/devices"

Audit logging of API access token creation

In configuration audit logging, an action will be recorded in your audit log whenever an access token is created. The log entry will show the OAuth client ID as the actor, and the time when the API access token was created.

If you believe your OAuth client has been compromised, revoke the OAuth client (and set up a new client when you're ready). Review the configuration audit logs to see whether and how the client and API access tokens were used during the period of compromise.

Registering new nodes using OAuth credentials

You can use an OAuth secret directly in tailscale up to register a new node:

tailscale up --auth-key=${OAUTH_CLIENT_SECRET} --advertise-tags=tag:ci

The OAuth client must have the auth_keys scope and the tags passed to --advertise-tags must match the tags you selected creating the client.

The --auth-key flag can accept additional URL-style parameters when used with OAuth secrets:

tailscale up --auth-key=${OAUTH_CLIENT_SECRET}?ephemeral=false&preauthorized=true --advertise-tags=tag:ci

The available parameters are:

  • ephemeral: register as an ephemeral node (defaults to true)
  • preauthorized: skip manual device approval (defaults to false)
  • baseURL: base URL for the Tailscale API (defaults to https://api.tailscale.com)

get-authkey utility

The get-authkey utility returns a new auth key to stdout, based on environment variables that contain values for your OAuth client ID and secret. Use get-authkey to generate auth keys for scripts or other automation.

All auth keys created from an OAuth client are required to have tags. You can optionally pass in arguments to get-authkey to specify whether the key type is ephemeral, reusable, and/or pre-authorized.

get-authkey requires Go 1.23 or later.

To build and run get-authkey directly:

  1. Set the following environment variables:

    • TS_API_CLIENT_ID: The OAuth client ID for your tailnet.
    • TS_API_CLIENT_SECRET: The OAuth client secret for your tailnet.
    export TS_API_CLIENT_ID=<clientID> TS_API_CLIENT_SECRET=<secret>
    
  2. Run:

    go run tailscale.com/cmd/get-authkey@latest -tags tag:development
    

You can pass in the following parameters:

  • -tags: Required. Apply the comma-separated list of tags to the auth key.
  • -reusable (Optional): Allocate a reusable auth key. If not set, defaults to false.
  • -ephemeral (Optional): Allocate an ephemeral auth key. If not set, defaults to false.
  • -preauth (Optional): Allocate the auth key as pre-authorized. If not set, defaults to true.

For example:

go run tailscale.com/cmd/get-authkey@latest -reusable -tags tag:development

As an alternative, you can download the get-authkey source code and run it from a local repo:

  1. Clone the tailscale/tailscale repository.

  2. Open a command prompt and change directories to the root of the local tailscale/ folder.

  3. Run get-authkey:

    go run ./cmd/get-authkey/main.go -tags tag:development
    

Limitations

  • OAuth clients must be owned by the tailnet, and not by an individual user.
  • An OAuth access token expires after 1 hour—this time cannot be modified.

Legacy scopes

As of November 14, 2024 new OAuth clients will use the scopes listed in the scopes section. Existing OAuth clients using the below scopes, and keys generated using these clients, are still valid.

Scopes define which operations are permitted in API access tokens that are created by your client application.

You can use the following scopes in Tailscale OAuth clients:

Scope IDDescriptionAllowed endpoints
allThe client has complete access to the tailnet. This scope is not restricted to only access of APIs that existed at the time the client was initially authorized—the all scope also grants access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All endpoints, even endpoints which did not exist when the client was initially authorized.
  • /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
all:readThe client has read-only access to the tailnet. This scope is not restricted to only read access of APIs that existed at the time the client was initially authorized—the all:read scope also grants read access to new APIs created in the future. The all and all:read scopes are the only scopes which can get a list of all access tokens which exist in the tailnet.
  • All endpoints, even endpoints which did not exist when the client was initially authorized.
  • /api/v2/tailnet/:tailnet/keys/:keyID (for any key, not just itself)
aclThe client has access to read and modify the tailnet policy file.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/tailnet/:tailnet/acl
  • /api/v2/tailnet/:tailnet/acl/preview
  • /api/v2/tailnet/:tailnet/acl/validate
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

  • /api/v2/device/:deviceID/attributes
  • /api/v2/device/:deviceID/attributes/:attributeKey
acl:readThe client has access to read and validate the tailnet policy file.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/tailnet/:tailnet/acl
  • /api/v2/tailnet/:tailnet/acl/preview
  • /api/v2/tailnet/:tailnet/acl/validate
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

  • /api/v2/device/:deviceID/attributes
devices

The client has access to read the list of devices in the tailnet, authorize or remove machines, create auth keys, and manipulate tags and attributes on devices. You must select one or more tags when you create a client with the devices scope. Auth keys created with this client must have those exact tags, or tags owned by the client's tags

  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID
  • /api/v2/device/:deviceID/attributes
  • /api/v2/device/:deviceID/attributes/:attributeKey
  • /api/v2/device/:deviceID/authorized
  • /api/v2/device/:deviceID/key
  • /api/v2/device/:deviceID/tags
  • /api/v2/tailnet/:tailnet/keys (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/* (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

devices:readThe client has access to read the list of devices, auth keys, attributes, and tags in the tailnet.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID
  • /api/v2/device/:deviceID/attributes
  • /api/v2/device/:deviceID/key
  • /api/v2/device/:deviceID/tags
  • /api/v2/tailnet/:tailnet/keys (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/* (only auth keys, not access tokens)

  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

dnsThe client has access to read and manipulate DNS settings.
  • /api/v2/tailnet/:tailnet/dns/*
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

dns:readThe client has access to read DNS settings.
  • /api/v2/tailnet/:tailnet/dns/*
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

routesThe client has access to read or modify subnet router settings, approve and revoke subnet routes, and approve and revoke exit nodes.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID/routes
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

routes:readThe client has access to read subnet router settings and exit node settings.
  • /api/v2/tailnet/:tailnet/devices
  • /api/v2/device/:deviceID/routes
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

logs:readThe client has access to read configuration audit logs.
  • /api/v2/tailnet/:tailnet/logs
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

network-logs:readThe client has access to read network flow logs.
  • /api/v2/tailnet/:tailnet/network-logs
  • /api/v2/tailnet/:tailnet/keys/:keyID (for itself only)

Last updated Nov 21, 2024