npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

tailscale-mcp

v2026.3.18

Published

Secure MCP access for private infrastructure over Tailscale — 49 tools for devices, DNS, ACL, keys, users, webhooks, posture, and tailnet management via Tailscale API v2

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

itunified-org.ioitunified-org.io

Keywords

mcpmcp-servermodel-context-protocoltailscaletailnetvpndnssplit-dnsaclzero-trustinfrastructureai-agent

Readme

mcp-tailscale

Secure MCP access for private infrastructure over Tailscale

npm GitHub release License: AGPL-3.0 CalVer Node.js TypeScript mcp-tailscale MCP server

The Problem

AI agents need access to internal tools, services, and infrastructure — but exposing private systems to the internet creates unacceptable security risks. VPNs are complex, SSH tunnels are fragile, and API gateways add latency and maintenance overhead.

mcp-tailscale bridges this gap: a lightweight MCP server that gives AI agents secure, authenticated access to your Tailscale-connected infrastructure — without exposing anything to the public internet.

What It Does

mcp-tailscale is an MCP Gateway Runtime that connects AI agents (Claude, GPT, custom) to your private infrastructure through Tailscale's zero-trust network. It provides 48 tools across 9 domains for managing devices, DNS, ACL policies, auth keys, users, webhooks, posture integrations, and tailnet settings — all through the Tailscale API v2.

No SSH. No shell execution. API-only. 4 runtime dependencies.

Use Cases

  • DevOps Automation — Let AI agents manage device authorization, subnet routes, and ACL policies across your tailnet
  • DNS Management — Configure split DNS, global nameservers, and MagicDNS through natural language
  • Security Auditing — Automated ACL policy validation, posture compliance checks, and key rotation
  • Fleet Management — Monitor device status, manage tags, and onboard new devices at scale
  • Infrastructure as Conversation — Query and modify your private network configuration through AI-driven workflows

Quick Start

Install from npm

npm install -g tailscale-mcp

Or clone and build from source

git clone https://github.com/itunified-io/mcp-tailscale.git
cd mcp-tailscale
npm install
cp .env.example .env   # Edit with your Tailscale API key and tailnet name
npm run build
node dist/index.js     # stdio transport for MCP

Claude Code Integration

Add to .mcp.json in your project root:

{
  "mcpServers": {
    "tailscale": {
      "command": "node",
      "args": ["/path/to/mcp-tailscale/dist/index.js"],
      "env": {
        "TAILSCALE_API_KEY": "your-api-key-here",
        "TAILSCALE_TAILNET": "your-tailnet-name"
      },
      "comment": "Or use OAuth: TAILSCALE_OAUTH_CLIENT_ID + TAILSCALE_OAUTH_CLIENT_SECRET instead of TAILSCALE_API_KEY"
    }
  }
}

Features

48 tools across 9 domains:

  • Devices — List, get, delete, authorize, expire, rename devices; manage routes, tags, and posture attributes
  • DNS — Global nameservers, search paths, split DNS configuration, MagicDNS preferences
  • ACL — Get, set, preview, validate, and test ACL policies
  • Keys — List, get, create, and revoke auth keys
  • Tailnet — Settings (read/write), contacts, Tailnet Lock status
  • Users — List and get tailnet users with role/type filtering
  • Webhooks — Create, list, get, and delete webhook endpoints
  • Posture Integrations — List, get, create, and delete third-party posture provider integrations
  • Diagnostics — Tailnet status summary, API connectivity check, log streaming, DERP map

Authentication: API key or OAuth client credentials (auto-refresh)

Skills

Claude Code skills compose MCP tools into higher-level workflows. See .claude/skills/README.md for detailed documentation.

| Skill | Slash Command | Description | |-------|--------------|-------------| | tailscale-health | /ts-health | Tailnet health dashboard — devices, DNS, ACL, keys, connectivity | | tailscale-live-test | /ts-test | Live integration test — read + safe writes with cleanup | | tailscale-acl-management | — | ACL policy management — view, edit, validate, test, drift detection | | tailscale-device-management | — | Device management — list, authorize, routes, tags, posture | | tailscale-dns-management | — | DNS management — split DNS, nameservers, search paths, MagicDNS | | tailscale-key-management | — | Auth key management — create, list, rotate, revoke | | tailscale-onboarding | — | New device onboarding — auth key, authorize, tags, routes, verify |

SSE Transport

By default, mcp-tailscale uses stdio transport. To enable HTTP/SSE:

export TAILSCALE_MCP_TRANSPORT=sse
export TAILSCALE_MCP_AUTH_TOKEN=your-secret-token
export TAILSCALE_MCP_PORT=3000      # optional, default: 3000
export TAILSCALE_MCP_HOST=localhost  # optional, default: localhost
node dist/index.js

All requests require Authorization: Bearer <token>. The server will not start without TAILSCALE_MCP_AUTH_TOKEN.

Configuration

| Variable | Required | Default | Description | |----------|----------|---------|-------------| | TAILSCALE_API_KEY | Yes* | — | Tailscale API key (from admin console > Settings > Keys) | | TAILSCALE_OAUTH_CLIENT_ID | Yes* | — | OAuth client ID (from admin console > Settings > OAuth) | | TAILSCALE_OAUTH_CLIENT_SECRET | Yes* | — | OAuth client secret | | TAILSCALE_TAILNET | Yes | — | Tailnet name (e.g., example.com or your org name) | | TAILSCALE_API_URL | No | https://api.tailscale.com | API base URL (override for testing) | | TAILSCALE_TIMEOUT | No | 30000 | Request timeout in milliseconds |

*Either TAILSCALE_API_KEY or both TAILSCALE_OAUTH_CLIENT_ID + TAILSCALE_OAUTH_CLIENT_SECRET must be set. OAuth takes priority when both are configured.

Authentication

API Key: Create at login.tailscale.com/admin/settings/keys. The key needs read/write access to the resources you want to manage.

OAuth Client Credentials: Create at login.tailscale.com/admin/settings/oauth. OAuth tokens auto-refresh before expiry. Recommended for automated/service integrations.

Tools

Devices (11 tools)

| Tool | Description | |------|-------------| | tailscale_device_list | List all devices in the tailnet | | tailscale_device_get | Get device details by ID | | tailscale_device_delete | Delete a device (requires confirm: true) | | tailscale_device_authorize | Authorize a pending device | | tailscale_device_routes_get | Get advertised and enabled routes | | tailscale_device_routes_set | Set enabled subnet routes | | tailscale_device_tags_set | Set ACL tags on a device | | tailscale_device_posture_get | Get custom posture attributes | | tailscale_device_posture_set | Set a custom posture attribute | | tailscale_device_expire | Expire a device key (requires confirm: true) | | tailscale_device_rename | Set a custom display name for a device |

DNS (8 tools)

| Tool | Description | |------|-------------| | tailscale_dns_nameservers_get | Get global DNS nameservers | | tailscale_dns_nameservers_set | Set global DNS nameservers | | tailscale_dns_searchpaths_get | Get DNS search paths | | tailscale_dns_searchpaths_set | Set DNS search paths | | tailscale_dns_splitdns_get | Get split DNS configuration | | tailscale_dns_splitdns_set | Update split DNS configuration (PATCH) | | tailscale_dns_preferences_get | Get DNS preferences (MagicDNS) | | tailscale_dns_preferences_set | Set DNS preferences |

ACL (5 tools)

| Tool | Description | |------|-------------| | tailscale_acl_get | Get the current ACL policy | | tailscale_acl_set | Replace the ACL policy (requires confirm: true) | | tailscale_acl_preview | Preview ACL policy for a user or IP | | tailscale_acl_validate | Validate an ACL policy without applying | | tailscale_acl_test | Run ACL tests defined in the policy |

Keys (4 tools)

| Tool | Description | |------|-------------| | tailscale_key_list | List all auth keys | | tailscale_key_get | Get auth key details | | tailscale_key_create | Create a new auth key | | tailscale_key_delete | Delete an auth key (requires confirm: true) |

Tailnet (5 tools)

| Tool | Description | |------|-------------| | tailscale_tailnet_settings_get | Get tailnet settings | | tailscale_tailnet_settings_update | Update tailnet settings (requires confirm: true) | | tailscale_tailnet_contacts_get | Get tailnet contact emails | | tailscale_tailnet_contacts_set | Update tailnet contacts (requires confirm: true) | | tailscale_tailnet_lock_status | Get Tailnet Lock status |

Users (2 tools)

| Tool | Description | |------|-------------| | tailscale_user_list | List all users (filter by type/role) | | tailscale_user_get | Get user details by ID |

Webhooks (4 tools)

| Tool | Description | |------|-------------| | tailscale_webhook_list | List all webhook endpoints | | tailscale_webhook_create | Create a webhook endpoint | | tailscale_webhook_get | Get webhook details by ID | | tailscale_webhook_delete | Delete a webhook (requires confirm: true) |

Posture Integrations (4 tools)

| Tool | Description | |------|-------------| | tailscale_posture_integration_list | List all posture provider integrations | | tailscale_posture_integration_get | Get posture integration details by ID | | tailscale_posture_integration_create | Create a posture provider integration | | tailscale_posture_integration_delete | Delete a posture integration (requires confirm: true) |

Diagnostics (5 tools)

| Tool | Description | |------|-------------| | tailscale_status | Tailnet status summary (device counts, online/offline) | | tailscale_api_verify | Verify API connectivity and authentication | | tailscale_log_stream_get | Get log streaming configuration | | tailscale_log_stream_set | Set log streaming configuration (requires confirm: true) | | tailscale_derp_map | Get DERP relay map |

Architecture

See ARCHITECTURE.md for detailed architecture diagrams and component descriptions.

Roadmap

See ROADMAP.md for the product development roadmap.

Development

npm run build      # Compile TypeScript
npm test           # Run unit tests (vitest)
npm run typecheck  # Type check only (no emit)

See CONTRIBUTING.md for contribution guidelines. See docs/api-reference.md for the Tailscale API v2 endpoint mapping.

Open Source

mcp-tailscale is the community edition — a fully functional MCP Gateway Runtime under AGPL-3.0. Self-host it, contribute to it, build on it.

What you get with the open-source edition:

  • Complete Tailscale API v2 coverage (48 tools, 9 domains)
  • stdio and SSE transport
  • API key and OAuth authentication
  • Zod-validated inputs, structured error handling
  • Claude Code skills for common workflows
  • Full test suite (vitest)

Commercial

For organizations that need governance, compliance, and multi-tenant capabilities on top of the open-source runtime, we offer commercial editions with enterprise features.

Planned enterprise capabilities:

  • Role-based access control (RBAC)
  • OIDC/SAML single sign-on
  • Audit event logging
  • Policy engine for tool access control
  • Multi-tenant isolation
  • Commercial license (no AGPL obligations)
  • Priority support and SLA

See PRODUCT_PACKAGING.md for tier details.

Contact us: GitHub Sponsors

License

This project is dual-licensed:

If you use mcp-tailscale in a proprietary product or SaaS offering, a commercial license is required. Support development by sponsoring us on GitHub.