# Tailscale MCP

> Tailscale MCP gives your agent full administrative control over a zero-trust mesh network. List devices, adjust access rules (ACLs), manage user identities, and audit node keys—all through natural conversation. Manage your private infrastructure without leaving your chat client.

## Overview
- **Category:** loved-by-devs
- **Price:** Free
- **Tags:** vpn, zero-trust, mesh-network, network-security, acl, remote-access

## Description

Connecting your Tailscale network to this MCP lets your AI agent act as an administrator for your entire zero-trust infrastructure. You gain complete visibility into every device connected to your tailnet, meaning you can query details about specific nodes or check the status of all registered machines instantly. Need to tighten security? Your agent handles updating complex access control policies (ACLs), allowing you to manage network permissions without ever touching a web console or writing a manual policy file. It also manages authentication keys and users, letting you automate node joining or audit who's on the network right now. You can even delete decommissioned devices securely using their unique IDs. By connecting this MCP via Vinkius, your AI client gets all these administrative tools in one place, turning tedious infrastructure management into simple conversation.

## Tools

### authorize_device
Approves a machine joining your tailnet.

### create_auth_key
Generates a new, reusable authentication key for the network.

### delete_auth_key
Removes an existing authentication key from the system.

### delete_device
Permanently removes a specified device from your tailnet inventory.

### get_tailnet_acl
Retrieves a full copy of the current network access control policy (ACL).

### get_auth_key
Fetches details about an existing authentication key.

### get_device
Retrieves specific operational details for a single device on the network.

### get_user
Fetches detailed profile data for a specified user account.

### list_auth_keys
Lists all current authentication keys associated with the network.

### list_tailnet_devices
Provides a comprehensive list of every device connected to the tailnet.

### list_users
Lists all user accounts registered within the network.

### update_tailnet_acl
Modifies or updates the entire set of network access control policies (ACLs).

### update_device_tags
Adds, changes, or removes organizational tags from one or more devices.

## Prompt Examples

**Prompt:** 
```
List all devices in the tailnet 'mycompany.com'.
```

**Response:** 
```
I've retrieved the device list for mycompany.com. You have 12 active nodes, including 'web-server-01' (ID: 14023) and 'dev-laptop' (ID: 15092). Would you like details on a specific one?
```

**Prompt:** 
```
Show me the current ACL policy for my default tailnet.
```

**Response:** 
```
Fetching the HuJSON policy... Here is your current ACL. It defines 5 groups and 12 access rules. Would you like me to help you update any specific rule?
```

**Prompt:** 
```
Create a new reusable auth key for the tailnet 'example.com'.
```

**Response:** 
```
I've created a new reusable auth key for example.com. The key ID is 'key-abc123xyz'. Please make sure to store it securely as it won't be shown again.
```

## Capabilities

### Manage Node Inventory
List every connected machine or retrieve detailed information on a specific device within the tailnet.

### Control Network Access Rules
Fetch and update complex access control policies, defining exactly which users and devices can communicate across your network.

### Audit User and Key Status
List all registered users or generate, list, and delete authentication keys for automated node joining.

### Secure Device Lifecycle Management
Authorize new machines to join the network, update device tags for organization, or securely remove retired devices.

## Use Cases

### A new developer needs access.
The IT Admin asks their agent: 'I need to add Bob's laptop and make sure he can talk to the database.' The agent runs `authorize_device` for the machine, updates the ACL using `update_tailnet_acl`, and tags it correctly with `update_device_tags`. Done in three prompts.

### Security audit after a breach.
The Security Analyst asks: 'Show me every user and what access they have.' The agent uses `list_users` to get the roster, then runs `get_tailnet_acl`, providing an immediate, auditable snapshot of all network permissions.

### Automating CI/CD deployment.
The DevOps Engineer needs a temporary key for a test runner. They prompt: 'Create a reusable auth key for the staging environment.' The agent uses `create_auth_key`, providing the necessary ID for secure vault storage.

### Cleaning up old infrastructure.
The IT Admin notices an old IP address that should be gone. They prompt: 'Delete device 14023.' The agent uses `delete_device` to ensure the machine is fully removed from the active tailnet inventory.

## Benefits

- Stop context switching. You never need to jump from the Tailscale console to a terminal or another dashboard. Your agent performs admin tasks directly within your chat interface, saving you clicks and time.
- Enforce strict security policies on demand. Need to change who can talk to what? Use the MCP to update network access control policies (ACLs) instantly through conversational prompts.
- Automate onboarding and offboarding. You can generate reusable auth keys or list all users, making it simple for your agent to handle identity management without manual key generation.
- Maintain a clean inventory. Instead of manually checking logs for old machines, you can use the MCP to list tailnet devices, audit them, and securely delete decommissioned nodes by ID.
- Get immediate device context. Need to know if 'web-server-01' is running? You get specific details on any machine using the `get_device` tool without ambiguity.

## How It Works

The bottom line is that you manage complex networking tasks conversationally, treating your AI client like a dedicated administrator terminal.

1. Subscribe to this MCP and provide your Tailscale API key.
2. Your AI client uses the provided credentials to connect directly to your private network's administrative layer.
3. You interact with the system using plain language prompts, and the agent executes the required command against your live infrastructure.

## Frequently Asked Questions

**How does the Tailscale MCP handle user identity?**
It gives your agent full access to list users and fetch detailed profile information using `list_users` and `get_user`. This lets you audit who is on the network without needing separate tools.

**Can I use the Tailscale MCP to modify ACL policies?**
Yes, it's designed for that. You can retrieve existing policy files using `get_tailnet_acl` and then apply changes with `update_tailnet_acl`.

**What if I need to remove a device entirely?**
You use the `delete_device` tool, providing the unique ID of the machine you want gone. This ensures it's securely removed from your tailnet inventory.

**Do I need to manage keys separately if I use the MCP?**
No. The MCP handles key management directly. You can list existing keys with `list_auth_keys` or create a new one using `create_auth_key`.

**Which role should use the Tailscale MCP first?**
Security teams benefit most. They need constant visibility into who is accessing what, making the audit tools like `get_tailnet_acl` indispensable for compliance checks.