Tailscale
Manage devices and network settings in your Tailscale tailnet
Tailscale is a zero-config mesh VPN built on WireGuard that makes it easy to connect devices, services, and users across any network. The Tailscale block lets you automate network management tasks like device provisioning, access control, route management, and DNS configuration directly from your Sim workflows.
The Tailscale block uses API key authentication. To get an API key:
- Go to the Tailscale admin console
- Navigate to Settings > Keys
- Click Generate API key
- Set an expiry (1-90 days) and copy the key (starts with
tskey-api-)
You must have an Owner, Admin, IT admin, or Network admin role to generate API keys.
Every operation requires a tailnet parameter. This is typically your organization's domain name (e.g., example.com). You can also use "-" to refer to your default tailnet.
- Device inventory: List and monitor all devices connected to your network
- Automated provisioning: Create and manage auth keys to pre-authorize new devices
- Access control: Authorize or deauthorize devices, manage device tags for ACL policies
- Route management: View and enable subnet routes for devices acting as subnet routers
- DNS management: Configure nameservers, MagicDNS, and search paths
- Key lifecycle: Create, list, inspect, and revoke auth keys
- User auditing: List all users in the tailnet and their roles
- Policy review: Retrieve the current ACL policy for inspection or backup
List all devices in the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
devices | array | List of devices in the tailnet |
↳ id | string | Device ID |
↳ name | string | Device name |
↳ hostname | string | Device hostname |
↳ user | string | Associated user |
↳ os | string | Operating system |
↳ clientVersion | string | Tailscale client version |
↳ addresses | array | Tailscale IP addresses |
↳ tags | array | Device tags |
↳ authorized | boolean | Whether the device is authorized |
↳ blocksIncomingConnections | boolean | Whether the device blocks incoming connections |
↳ lastSeen | string | Last seen timestamp |
↳ created | string | Creation timestamp |
count | number | Total number of devices |
Get details of a specific device by ID
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID |
| Parameter | Type | Description |
|---|
id | string | Device ID |
name | string | Device name |
hostname | string | Device hostname |
user | string | Associated user |
os | string | Operating system |
clientVersion | string | Tailscale client version |
addresses | array | Tailscale IP addresses |
tags | array | Device tags |
authorized | boolean | Whether the device is authorized |
blocksIncomingConnections | boolean | Whether the device blocks incoming connections |
lastSeen | string | Last seen timestamp |
created | string | Creation timestamp |
enabledRoutes | array | Approved subnet routes |
advertisedRoutes | array | Requested subnet routes |
isExternal | boolean | Whether the device is external |
updateAvailable | boolean | Whether an update is available |
machineKey | string | Machine key |
nodeKey | string | Node key |
Remove a device from the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID to delete |
| Parameter | Type | Description |
|---|
success | boolean | Whether the device was successfully deleted |
deviceId | string | ID of the deleted device |
Authorize or deauthorize a device on the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID to authorize |
authorized | boolean | Yes | Whether to authorize (true) or deauthorize (false) the device |
| Parameter | Type | Description |
|---|
success | boolean | Whether the operation succeeded |
deviceId | string | Device ID |
authorized | boolean | Authorization status after the operation |
Set tags on a device in the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID |
tags | string | Yes | Comma-separated list of tags (e.g., "tag:server,tag:production") |
| Parameter | Type | Description |
|---|
success | boolean | Whether the tags were successfully set |
deviceId | string | Device ID |
tags | array | Tags set on the device |
Get the subnet routes for a device
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID |
| Parameter | Type | Description |
|---|
advertisedRoutes | array | Subnet routes the device is advertising |
enabledRoutes | array | Subnet routes that are approved/enabled |
Set the enabled subnet routes for a device
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID |
routes | string | Yes | Comma-separated list of subnet routes to enable (e.g., "10.0.0.0/24,192.168.1.0/24") |
| Parameter | Type | Description |
|---|
advertisedRoutes | array | Subnet routes the device is advertising |
enabledRoutes | array | Subnet routes that are now enabled |
Enable or disable key expiry on a device
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
deviceId | string | Yes | Device ID |
keyExpiryDisabled | boolean | Yes | Whether to disable key expiry (true) or enable it (false) |
| Parameter | Type | Description |
|---|
success | boolean | Whether the operation succeeded |
deviceId | string | Device ID |
keyExpiryDisabled | boolean | Whether key expiry is now disabled |
Get the DNS nameservers configured for the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
dns | array | List of DNS nameserver addresses |
magicDNS | boolean | Whether MagicDNS is enabled |
Set the DNS nameservers for the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
dns | string | Yes | Comma-separated list of DNS nameserver IP addresses (e.g., "8.8.8.8,8.8.4.4") |
| Parameter | Type | Description |
|---|
dns | array | Updated list of DNS nameserver addresses |
Get the DNS preferences for the tailnet including MagicDNS status
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
magicDNS | boolean | Whether MagicDNS is enabled |
Set DNS preferences for the tailnet (enable/disable MagicDNS)
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
magicDNS | boolean | Yes | Whether to enable (true) or disable (false) MagicDNS |
| Parameter | Type | Description |
|---|
magicDNS | boolean | Updated MagicDNS status |
Get the DNS search paths configured for the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
searchPaths | array | List of DNS search path domains |
Set the DNS search paths for the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
searchPaths | string | Yes | Comma-separated list of DNS search path domains (e.g., "corp.example.com,internal.example.com") |
| Parameter | Type | Description |
|---|
searchPaths | array | Updated list of DNS search path domains |
List all users in the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
users | array | List of users in the tailnet |
↳ id | string | User ID |
↳ displayName | string | Display name |
↳ loginName | string | Login name / email |
↳ profilePicURL | string | Profile picture URL |
↳ role | string | User role (owner, admin, member, etc.) |
↳ status | string | User status (active, suspended, etc.) |
↳ type | string | User type (member, shared, tagged) |
↳ created | string | Creation timestamp |
↳ lastSeen | string | Last seen timestamp |
↳ deviceCount | number | Number of devices owned by user |
count | number | Total number of users |
Create a new auth key for the tailnet to pre-authorize devices
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
reusable | boolean | No | Whether the key can be used more than once |
ephemeral | boolean | No | Whether devices authenticated with this key are ephemeral |
preauthorized | boolean | No | Whether devices are pre-authorized (skip manual approval) |
tags | string | Yes | Comma-separated list of tags for devices using this key (e.g., "tag:server,tag:prod") |
description | string | No | Description for the auth key |
expirySeconds | number | No | Key expiry time in seconds (default: 90 days) |
| Parameter | Type | Description |
|---|
id | string | Auth key ID |
key | string | The auth key value (only shown once at creation) |
description | string | Key description |
created | string | Creation timestamp |
expires | string | Expiration timestamp |
revoked | string | Revocation timestamp (empty if not revoked) |
capabilities | object | Key capabilities |
↳ reusable | boolean | Whether the key is reusable |
↳ ephemeral | boolean | Whether devices are ephemeral |
↳ preauthorized | boolean | Whether devices are pre-authorized |
↳ tags | array | Tags applied to devices using this key |
List all auth keys in the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
keys | array | List of auth keys |
↳ id | string | Auth key ID |
↳ description | string | Key description |
↳ created | string | Creation timestamp |
↳ expires | string | Expiration timestamp |
↳ revoked | string | Revocation timestamp |
↳ capabilities | object | Key capabilities |
↳ reusable | boolean | Whether the key is reusable |
↳ ephemeral | boolean | Whether devices are ephemeral |
↳ preauthorized | boolean | Whether devices are pre-authorized |
↳ tags | array | Tags applied to devices |
count | number | Total number of auth keys |
Get details of a specific auth key
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
keyId | string | Yes | Auth key ID |
| Parameter | Type | Description |
|---|
id | string | Auth key ID |
description | string | Key description |
created | string | Creation timestamp |
expires | string | Expiration timestamp |
revoked | string | Revocation timestamp |
capabilities | object | Key capabilities |
↳ reusable | boolean | Whether the key is reusable |
↳ ephemeral | boolean | Whether devices are ephemeral |
↳ preauthorized | boolean | Whether devices are pre-authorized |
↳ tags | array | Tags applied to devices using this key |
Revoke and delete an auth key
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
keyId | string | Yes | Auth key ID to delete |
| Parameter | Type | Description |
|---|
success | boolean | Whether the auth key was successfully deleted |
keyId | string | ID of the deleted auth key |
Get the current ACL policy for the tailnet
| Parameter | Type | Required | Description |
|---|
apiKey | string | Yes | Tailscale API key |
tailnet | string | Yes | Tailnet name (e.g., example.com) or "-" for default |
| Parameter | Type | Description |
|---|
acl | string | ACL policy as JSON string |
etag | string | ETag for the current ACL version (use with If-Match header for updates) |