Tailscale
01README
Tailscale tailnet management — 10 model types covering devices, users, ACLs, DNS, auth keys, webhooks, settings, contacts, posture, and log config. 22 workflows for device inventory, user lifecycle, ACL audit, security audit, compliance, incident response, monitoring, and more. Fix: OAuth token cache now keys on credentials so different tailnets/OAuth clients no longer share tokens.
02Models
tailscale/posture.tsv2026.02.28.1
fn list()
List all posture integrations. Produces one resource instance per integration (factory pattern).
fn get(integrationId: string)
Get a posture integration by ID.
| Argument | Type | Description |
|---|---|---|
| integrationId | string | Posture integration ID |
fn create(provider: string, cloudId: string, clientId: string, tenantId: string)
Create a new posture integration.
| Argument | Type | Description |
|---|---|---|
| provider | string | Provider name |
| cloudId | string | |
| clientId | string | |
| tenantId | string |
fn update(integrationId: string, cloudId: string, clientId: string, tenantId: string)
Update a posture integration.
| Argument | Type | Description |
|---|---|---|
| integrationId | string | Posture integration ID |
| cloudId | string | |
| clientId | string | |
| tenantId | string |
fn delete()
Delete a posture integration.
tailscale/contact.tsv2026.02.28.1
fn get()
Get tailnet contact information.
fn update(email: string)
Update a contact email. A verification email will be sent if the address changes.
| Argument | Type | Description |
|---|---|---|
| string | New email address |
tailscale/tailnet_settings.tsv2026.02.28.1
fn get()
Get current tailnet settings.
fn update(devicesApprovalOn: boolean, devicesAutoUpdatesOn: boolean, devicesKeyDurationDays: number, usersApprovalOn: boolean, usersRoleAllowedToJoinExternalTailnets: string, networkFlowLoggingOn: boolean, regionalRoutingOn: boolean, postureIdentityCollectionOn: boolean)
Update tailnet settings (partial update).
| Argument | Type | Description |
|---|---|---|
| devicesApprovalOn | boolean | |
| devicesAutoUpdatesOn | boolean | |
| devicesKeyDurationDays | number | |
| usersApprovalOn | boolean | |
| usersRoleAllowedToJoinExternalTailnets | string | |
| networkFlowLoggingOn | boolean | |
| regionalRoutingOn | boolean | |
| postureIdentityCollectionOn | boolean |
tailscale/acl.tsv2026.02.28.1
fn get()
Get the current ACL policy as JSON.
fn getRaw()
Get the current ACL policy as HuJSON (raw text).
fn set()
Set the ACL policy. Optionally provide an ETag for conditional update.
fn validate()
Validate an ACL policy without applying it.
tailscale/log_config.tsv2026.02.28.1
fn get()
Get log streaming configuration for a log type.
fn set()
Set log streaming configuration for a log type.
fn delete()
Delete log streaming configuration for a log type.
tailscale/device.tsv2026.02.28.1
fn list()
List all devices in the tailnet. Produces one resource instance per device (factory pattern).
fn get(deviceId: string)
Get a single device by ID.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
fn delete(deviceId: string)
Delete a device from the tailnet.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID to delete |
fn authorize(deviceId: string)
Authorize or deauthorize a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
fn setTags(deviceId: string)
Set ACL tags on a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
fn setKey(deviceId: string)
Set key expiry properties on a device (enable/disable key expiry).
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
fn setRoutes(deviceId: string)
Set subnet routes for a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
fn getRoutes(deviceId: string)
Get advertised and enabled subnet routes for a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
fn setName(deviceId: string, name: string)
Rename a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
| name | string | New device name (FQDN) |
fn setIPv4(deviceId: string, ipv4: string)
Set the Tailscale IPv4 address of a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
| ipv4 | string | New IPv4 address |
fn getPosture(deviceId: string)
Get posture attributes for a device.
| Argument | Type | Description |
|---|---|---|
| deviceId | string | Device ID |
Resources
device— Tailscale device
routes— Device subnet routes (advertised and enabled)
tailscale/webhook.tsv2026.02.28.1
fn list()
List all webhooks in the tailnet. Produces one resource instance per webhook (factory pattern).
fn get(endpointId: string)
Get a single webhook by endpoint ID.
| Argument | Type | Description |
|---|---|---|
| endpointId | string | Webhook endpoint ID |
fn create(endpointUrl: string)
Create a new webhook.
| Argument | Type | Description |
|---|---|---|
| endpointUrl | string | URL to receive webhook events |
fn update(endpointId: string)
Update a webhook
| Argument | Type | Description |
|---|---|---|
| endpointId | string | Webhook endpoint ID |
fn delete(endpointId: string)
Delete a webhook.
| Argument | Type | Description |
|---|---|---|
| endpointId | string | Webhook endpoint ID to delete |
fn test(endpointId: string)
Send a test event to a webhook.
| Argument | Type | Description |
|---|---|---|
| endpointId | string | Webhook endpoint ID to test |
fn rotateSecret()
Rotate the secret for a webhook.
tailscale/dns.tsv2026.02.28.1
fn getNameservers()
Get DNS nameservers for the tailnet.
fn setNameservers()
Set DNS nameservers for the tailnet.
fn getSearchPaths()
Get DNS search paths for the tailnet.
fn setSearchPaths()
Set DNS search paths for the tailnet.
fn getPreferences()
Get DNS preferences (MagicDNS status).
fn setPreferences()
Enable or disable MagicDNS.
fn getSplitDns()
Get split DNS configuration.
fn setSplitDns()
Set split DNS configuration (full replace).
fn updateSplitDns()
Partially update split DNS configuration.
Resources
nameservers— DNS nameservers configured for the tailnet
searchPaths— DNS search paths configured for the tailnet
preferences— DNS preferences (MagicDNS status)
tailscale/user.tsv2026.02.28.1
fn list()
List all users in the tailnet. Produces one resource instance per user (factory pattern).
fn get(userId: string)
Get a single user by ID.
| Argument | Type | Description |
|---|---|---|
| userId | string | User ID |
fn approve(userId: string)
Approve a pending user.
| Argument | Type | Description |
|---|---|---|
| userId | string | User ID to approve |
fn suspend(userId: string)
Suspend a user.
| Argument | Type | Description |
|---|---|---|
| userId | string | User ID to suspend |
fn restore(userId: string)
Restore a suspended user.
| Argument | Type | Description |
|---|---|---|
| userId | string | User ID to restore |
fn delete(userId: string)
Delete a user from the tailnet.
| Argument | Type | Description |
|---|---|---|
| userId | string | User ID to delete |
fn setRole(userId: string)
Update a user
| Argument | Type | Description |
|---|---|---|
| userId | string | User ID |
tailscale/auth_key.tsv2026.02.28.1
fn list()
List all auth keys in the tailnet. Produces one resource instance per key (factory pattern).
fn get(keyId: string)
Get an auth key by ID.
| Argument | Type | Description |
|---|---|---|
| keyId | string | Auth key ID |
fn create()
Create a new auth key.
fn delete(keyId: string)
Delete an auth key.
| Argument | Type | Description |
|---|---|---|
| keyId | string | Auth key ID to delete |
03Workflows
user-onboard03ceb53d-0eb8-4aaa-8d16-117d20984a61
Onboard a new user — approve them and create a pre-authorized auth key
onboardApprove the user and generate an auth key for their devices
1.approve-user— Approve the pending user
2.create-key— Create a pre-authorized auth key for the new user
user-offboardbf49eb37-9974-4c99-b54c-55c7c9115acb
Offboard a user — suspend them and list their devices for cleanup
offboardSuspend the user and discover their devices
1.suspend-user— Suspend the user account
2.list-devices— List all devices to identify those belonging to the suspended user
acl-auditfac4883d-5945-4593-83a1-e4b3e3d0c6a6
Full ACL audit — collect the current ACL policy, all devices, and all users for cross-referencing
collectGather ACL policy, devices, and users for audit analysis
1.get-acl— Fetch the current ACL policy
2.list-devices— List all devices for cross-referencing with ACL rules
3.list-users— List all users for cross-referencing with ACL groups
device-authorize939acc93-d489-4428-bc1a-4d14678ae12b
Authorize a pending device to join the tailnet
authorizeAuthorize the specified device
1.authorize-device— Set the device as authorized
dns-overview2995ca75-98d6-4c21-8ef4-55bb91e6d8d9
Complete DNS configuration snapshot — nameservers, search paths, MagicDNS preferences, and split DNS
collectGather all DNS configuration from the tailnet
1.nameservers— Fetch configured DNS nameservers
2.search-paths— Fetch DNS search paths
3.preferences— Fetch MagicDNS preferences
4.split-dns— Fetch split DNS configuration
tailnet-overview0665d0c1-efce-4ead-84f7-e2b359319580
Complete tailnet summary — devices, users, DNS nameservers, ACL policy, and tailnet settings
overviewCollect all tailnet resources for a comprehensive overview
1.list-devices— Fetch all devices in the tailnet
2.list-users— Fetch all users in the tailnet
3.get-nameservers— Fetch DNS nameserver configuration
4.get-acl— Fetch the current ACL policy
5.get-settings— Fetch tailnet settings
device-posture-auditeccbaba1-896d-4c11-81d3-6e8aa8148403
Collect posture data for all devices — discover the fleet and posture integrations, then gather posture attributes per device
discoverList all devices and posture integrations
1.list-devices— Fetch all devices in the tailnet
2.list-posture-integrations— Fetch all posture integration configurations
collect-postureCollect posture attributes for each discovered device
1.get-posture-${{ self.device.attributes.id }}— Get posture attributes for this device
stale-device-cleanup4402a6ef-a48c-46d6-a00c-441ef7f2afc7
Find all devices in the tailnet and quarantine stale ones — deauthorize and tag as stale
discoverList all devices in the tailnet for stale device identification
1.list-devices— Fetch all devices with connectivity and last-seen info
quarantineDeauthorize and tag each stale device
1.deauthorize-${{ self.device }}— Deauthorize the stale device
2.tag-stale-${{ self.device }}— Apply tag:stale to the device
enable-monitoringdb142c7e-c0ab-47d9-b1af-ae66b8157198
Set up webhook monitoring and enable flow logging — configure log streaming, then create and test a webhook for security events
configureEnable network flow logging and set up log streaming
1.enable-flow-logging— Enable network flow logging in tailnet settings
2.set-log-streaming— Configure network log streaming destination
setup-webhooksCreate a webhook for security events and send a test event
1.create-webhook— Create webhook endpoint with security event subscriptions
webhook-setupc68d9a67-3f7a-49ea-b1f7-0ee821df8bd8
Create a new webhook and send a test event to verify delivery
setupCreate the webhook and verify with a test event
1.create-webhook— Create the webhook endpoint with specified subscriptions
subnet-route-audit80bcbc86-9d2a-42be-910a-6de068c05c54
Audit all device subnet routes — discover devices then collect advertised and enabled routes for each
discoverList all devices in the tailnet
1.list-devices— Fetch all devices to identify which ones to inspect
inspect-routesCollect subnet routes for each discovered device
1.get-routes-${{ self.device.attributes.id }}— Get advertised and enabled routes for this device
incident-response2d2c1077-4c2e-4174-8b00-1df8853bd115
Emergency device lockdown — deauthorize a suspect device, tag for investigation, collect routes and posture for forensics
lockdownDeauthorize the device and tag it for investigation
1.deauthorize— Immediately deauthorize the suspect device
2.tag-investigation— Apply investigation tag to the locked-down device
forensicsCollect routes and posture data for forensic analysis
1.collect-routes— Get subnet routes from the locked-down device
2.collect-posture— Get posture attributes from the locked-down device
device-quarantinee369531b-6cec-4119-a02e-457fe27486df
Quarantine a device — deauthorize it and apply a quarantine tag
quarantineDeauthorize the device and tag it as quarantined
1.deauthorize— Revoke device authorization
2.tag-quarantined— Apply tag:quarantined to the device
acl-updated90fbfb6-3f0a-4d71-b096-7beb79c1e1d8
Validate then apply ACL changes — validation must pass before the policy is set
validateValidate the ACL policy without applying
1.validate-acl— Run ACL validation against the Tailscale API
applyApply the validated ACL policy
1.set-acl— Set the validated ACL policy
network-config-backupb5d21856-81d7-4eae-94db-79064d0c434a
Full network configuration export — DNS (nameservers, search paths, MagicDNS, split DNS), ACL (JSON + raw HuJSON), and tailnet settings
backupCollect all network configuration in parallel
1.get-nameservers— Fetch DNS nameserver configuration
2.get-search-paths— Fetch DNS search path configuration
3.get-dns-preferences— Fetch DNS preferences including MagicDNS status
4.get-split-dns— Fetch split DNS configuration
5.get-acl-json— Fetch the current ACL policy as JSON
6.get-acl-raw— Fetch the current ACL policy as raw HuJSON
7.get-settings— Fetch tailnet settings
compliance-snapshotc1f67910-2344-499b-9deb-deb20a300267
Full compliance data collection — tailnet settings, contacts, ACL policy, posture integrations, log config, all users, and all devices
collectGather all compliance-relevant data in parallel
1.get-settings— Fetch tailnet settings for compliance review
2.get-contacts— Fetch tailnet contact information
3.get-acl— Fetch the current ACL policy
4.list-posture— Fetch all posture integrations
5.get-network-log-config— Fetch network log streaming configuration
6.list-users— Fetch all users for compliance review
7.list-devices— Fetch all devices for compliance review
full-user-offboard3a730a3a-5f96-4967-a7fe-0f2c1bb15072
Complete user offboarding — suspend the user, snapshot ACL, list all devices and auth keys, then fetch device details for cleanup
lockoutSuspend the user immediately
1.suspend-user— Suspend the user account to revoke access
audit-collectCollect all data needed for cleanup and compliance
1.snapshot-acl— Snapshot the ACL policy for audit record
2.list-devices— List all devices to identify the offboarded user's devices
3.list-keys— List all auth keys to find keys created by the user
4.get-settings— Capture tailnet settings for compliance record
device-detailFetch full details for each device to identify the offboarded user's devices
1.get-device-${{ self.device.attributes.id }}— Fetch full device details
security-audit21b4d635-da69-4d18-a050-2e82c4e2f8fc
Full security posture audit — devices, users, ACL policy, webhooks, and tailnet settings
collectGather all security-relevant resources from the tailnet
1.list-devices— Fetch all devices to check authorization status, key expiry, and tags
2.list-users— Fetch all users to check roles and approval status
3.get-acl— Fetch the ACL policy for rule analysis
4.list-webhooks— Fetch webhooks to verify security event monitoring
5.get-settings— Fetch tailnet settings to verify security configuration
full-user-onboard5f948494-3568-4aa1-93dc-51665d028007
Complete user onboarding — snapshot ACL and settings for audit trail, approve the user, set their role, create a pre-authorized auth key, then verify
baselineSnapshot current state before making changes (audit trail)
1.snapshot-acl— Snapshot the current ACL policy before onboarding changes
2.get-settings— Capture current tailnet settings
3.list-webhooks— List existing webhooks for reference
provisionApprove the user, set their role, and create an auth key
1.approve-user— Approve the pending user account
2.set-role— Set the user's role
3.create-auth-key— Create a pre-authorized ephemeral auth key for the user's first device
verifyVerify the onboarding completed successfully
1.list-users— Re-list users to confirm the new user is active
key-rotation61c96c57-4dc4-4612-ab5f-c3a5bdf66a34
Rotate auth keys — list existing keys and create a new replacement key
rotateList current keys and create a new key
1.list-keys— List all existing auth keys to review before rotation
2.create-new-key— Create a new pre-authorized auth key
user-access-review86bc7c06-40af-461b-8b27-515a217273a9
User access review — collect all users, devices, ACL policy, and auth keys, then fetch full profiles for each user
collectList users, devices, ACL, and auth keys in parallel
1.list-users— Fetch all users in the tailnet
2.list-devices— Fetch all devices for cross-referencing with users
3.get-acl— Fetch the ACL policy for access rule analysis
4.list-keys— Fetch all auth keys to identify key ownership
detailFetch full profile for each discovered user
1.get-user-${{ self.user.attributes.id }}— Fetch full user profile
device-inventorya9b72570-66a9-42d2-bd26-5fe746115d8e
Discover all devices in the tailnet — hostname, OS, user, authorization status, tags, connectivity, and key expiry
discoverList all devices in the tailnet
1.list-devices— Fetch all devices with their status, tags, and connectivity info
04Previous Versions
2026.02.28.3Feb 28, 2026
05Stats
Downloads
13
Archive size
23.5 KB
Not yet scored.
A score will be generated the next time this extension is published. The owner can also trigger scoring manually.
06Platforms
07Labels