### GET /posture/integrations/{id} Source: https://api.tailscale.com/api/v2 Gets the posture integration identified by `{id}`. OAuth Scope: `feature_settings:read`. ```markdown ### Responses #### 200 - Successful operation. **PostureIntegration** - **provider** (string (falcon|intune|jamfpro|kandji|kolide|sentinelone)): The device posture provider. Required on POST requests, ignored on PATCH requests. (example: "falcon") ("falcon"|"intune"|"jamfpro"|"kandji"|"kolide"|"sentinelone") - **cloudId** (string): Identifies which of the provider's clouds to integrate with. - For CrowdStrike Falcon, it will be one of `us-1`, `us-2`, `eu-1` or `us-gov`. - For Microsoft Intune, it will be one of `global` or `us-gov`. - For Jamf Pro, Kandji and Sentinel One, it is the FQDN of your subdomain, for example `mydomain.sentinelone.net`. - For Kolide, this is left blank. (example: "us-1") - **clientId** (string): Unique identifier for your client. - For Microsoft Intune, it will be your application's UUID. - For CrowdStrike Falcon and Jamf Pro, it will be your client id. - For Kandji, Kolide and Sentinel One, this is left blank. (example: "us-1") - **tenantId** (string): The Microsoft Intune directory (tenant) ID. For other providers, this is left blank. (example: "d1ae389b-5207-43a2-afca-2de6b03ac7e3") - **clientSecret** (string): The secret (auth key, token, etc.) used to authenticate with the provider. Required when creating a new integration, may be omitted when updating an existing integration, in which case we retain the existing password. (example: "as32598d#@%asdf") - **id** (string): A unique identifier for the integration (generated by the system). (example: "pcBEPQVMpki7DEVEL") - **configUpdated** (string): Timestamp of the last time this configuration was updated, in RFC 3339 format. (example: "2024-06-18T13:43:43.239839Z") - **status** (object): Most recent status for this integration. - **lastSync** (string): Timestamp of the last synchronization with the device posture provider, in RFC 3339 format. (example: "2024-06-18T08:44:33.872282-05:00") - **error** (string): If the last synchronization failed, this shows the error message associated with the failed synchronization. (example: "Invalid Tenant ID.\nMicrosoft error: AADSTS90002: Tenant 'd1ae389b-5207-43a2-afca-2de6b03ac7e3' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: f6237360-98a2-4889-913b-e3d80aba7d00 Correlation ID: a2024a6e-7757-4406-8a8d-1b6ac2e03ad5 Timestamp: 2024-06-18 13:44:33Z") - **providerHostCount** (integer): The number of devices known to the provider. (example: 98) - **matchedCount** (integer): The number of Tailscale nodes that were matched with provider. (example: 11) - **possibleMatchedCount** (integer): The number of Tailscale nodes with identifiers for matching. (example: 16) #### 404 - Posture integration not found, or user is not authorized to read it. **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/posture/integrations/{id}" ``` ``` -------------------------------- ### GET /tailnet/{tailnet}/posture/integrations Source: https://api.tailscale.com/api/v2 List all of the posture integrations for a tailnet. OAuth Scope: `feature_settings:read`. ```markdown ### Responses #### 200 - Successful operation. - **integrations** (array (PostureIntegration)): List of PostureIntegrations. Array items: - **provider** (string (falcon|intune|jamfpro|kandji|kolide|sentinelone)): The device posture provider. Required on POST requests, ignored on PATCH requests. (example: "falcon") ("falcon"|"intune"|"jamfpro"|"kandji"|"kolide"|"sentinelone") - **cloudId** (string): Identifies which of the provider's clouds to integrate with. - For CrowdStrike Falcon, it will be one of `us-1`, `us-2`, `eu-1` or `us-gov`. - For Microsoft Intune, it will be one of `global` or `us-gov`. - For Jamf Pro, Kandji and Sentinel One, it is the FQDN of your subdomain, for example `mydomain.sentinelone.net`. - For Kolide, this is left blank. (example: "us-1") - **clientId** (string): Unique identifier for your client. - For Microsoft Intune, it will be your application's UUID. - For CrowdStrike Falcon and Jamf Pro, it will be your client id. - For Kandji, Kolide and Sentinel One, this is left blank. (example: "us-1") - **tenantId** (string): The Microsoft Intune directory (tenant) ID. For other providers, this is left blank. (example: "d1ae389b-5207-43a2-afca-2de6b03ac7e3") - **clientSecret** (string): The secret (auth key, token, etc.) used to authenticate with the provider. Required when creating a new integration, may be omitted when updating an existing integration, in which case we retain the existing password. (example: "as32598d#@%asdf") - **id** (string): A unique identifier for the integration (generated by the system). (example: "pcBEPQVMpki7DEVEL") - **configUpdated** (string): Timestamp of the last time this configuration was updated, in RFC 3339 format. (example: "2024-06-18T13:43:43.239839Z") - **status** (object): Most recent status for this integration. - **lastSync** (string): Timestamp of the last synchronization with the device posture provider, in RFC 3339 format. (example: "2024-06-18T08:44:33.872282-05:00") - **error** (string): If the last synchronization failed, this shows the error message associated with the failed synchronization. (example: "Invalid Tenant ID.\nMicrosoft error: AADSTS90002: Tenant 'd1ae389b-5207-43a2-afca-2de6b03ac7e3' not found. Check to make sure you have the correct tenant ID and are signing into the correct cloud. Check with your subscription administrator, this may happen if there are no active subscriptions for the tenant. Trace ID: f6237360-98a2-4889-913b-e3d80aba7d00 Correlation ID: a2024a6e-7757-4406-8a8d-1b6ac2e03ad5 Timestamp: 2024-06-18 13:44:33Z") - **providerHostCount** (integer): The number of devices known to the provider. (example: 98) - **matchedCount** (integer): The number of Tailscale nodes that were matched with provider. (example: 11) - **possibleMatchedCount** (integer): The number of Tailscale nodes with identifiers for matching. (example: 16) #### 403 - User does not have sufficient access to list posture integrations. **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/tailnet/{tailnet}/posture/integrations" ``` ``` -------------------------------- ### GET /device/{deviceId}/device-invites Source: https://api.tailscale.com/api/v2 List all share invites for a device. OAuth Scope: `device_invites:read`. ```markdown ### Responses #### 200 - Successful operation. - Array of DeviceInvite #### 404 - Device not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) #### 504 - response **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/device/{deviceId}/device-invites" ``` ``` -------------------------------- ### GET /user-invites/{userInviteId} Source: https://api.tailscale.com/api/v2 Retrieve a specific user invite. ```markdown ### Responses #### 200 - Successful operation. **UserInvite** - **id** (string) (required): The unique identifier for the invite. Supply this value wherever `userInviteId` is indicated in the endpoint. (example: "12346") - **role** (string (member|admin|it-admin|network-admin|billing-admin|auditor)) (required): The tailnet user role to assign to the invited user upon accepting the invite. (example: "admin") ("member"|"admin"|"it-admin"|"network-admin"|"billing-admin"|"auditor") - **tailnetId** (integer (int64)) (required): The ID of the tailnet to which the user was invited. (example: 59954) - **inviterId** (integer (int64)) (required): The ID of the user who created the invite. (example: 22012) - **email** (string): The email to which the invite was sent. If empty, the invite was not emailed to anyone, but the inviteUrl can be shared manually. (example: "user@example.com") - **lastEmailSentAt** (string (date-time)): The last time the invite was attempted to be sent to Email. Only ever set if `email` is not empty. (example: "2024-04-03T21:38:49.333829261Z") - **inviteUrl** (string): Included when `email` is not part of the tailnet's domain, or when `email` is empty. It is the link to accept the invite. When included, anyone with this link can accept the invite. It is not restricted to the person to which the invite was emailed. When `email` is part of the tailnet's domain (has the same @domain.com suffix as the tailnet), the user can join the tailnet automatically by logging in with their domain email at https://login.tailscale.com/start. They'll be assigned the specified `role` upon signing in for the first time. (example: "https://login.tailscale.com/admin/invite/") #### 404 - User invite not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/user-invites/{userInviteId}" ``` ``` -------------------------------- ### GET /device/{deviceId} Source: https://api.tailscale.com/api/v2 Retrieve the details for the specified device. OAuth Scope: `devices:core:read`. ```markdown ### Parameters - **fields** (string (all|default), query, optional): Optionally controls whether the response returns **all** fields or only a predefined subset of fields. Currently, there are two supported options: - **`all`:** return all fields in the response - **`default`:** return the following fields - `addresses` - `id` - `nodeId` - `user` - `name` - `hostname` - `clientVersion` - `updateAvailable` - `os` - `created` - `connectedToControl` - `lastSeen` - `keyExpiryDisabled` - `expires` - `authorized` - `isExternal` - `machineKey` - `nodeKey` - `blocksIncomingConnections` - `tailnetLockKey` - `tailnetLockError` - `tags` - `isEphemeral` If the `fields` parameter is not supplied, then the default (limited fields) option is used. (example: "all") ### Responses #### 200 - Successful operation. **Device** - **addresses** (array (string)): A list of Tailscale IP addresses for the device, including both IPv4 (formatted as 100.x.y.z) and IPv6 (formatted as fd7a:115c:a1e0:a:b:c:d:e) addresses. (example: ["100.87.74.78","fd7a:115c:a1e0:ac82:4843:ca90:697d:c36e"]) - **id** (string): The legacy identifier for a device; you can supply this value wherever {deviceId} is indicated in the endpoint. Note that although "id" is still accepted, "nodeId" is preferred. (example: "92960230385") - **nodeId** (string): The preferred identifier for a device; supply this value wherever {deviceId} is indicated in the endpoint. (example: "n292kg92CNTRL") - **user** (string): The user who registered the node. For untagged nodes, this user is the device owner. (example: "amelie@example.com") - **name** (string): The MagicDNS name of the device. Learn more about MagicDNS at https://tailscale.com/kb/1081/. (example: "pangolin.tailfe8c.ts.net") - **hostname** (string): The machine name in the admin console. Learn more about machine names at https://tailscale.com/kb/1098/. (example: "pangolin") - **clientVersion** (string): The version of the Tailscale client software; this is empty for external devices. (example: "v1.36.0") - **updateAvailable** (boolean): 'true' if a Tailscale client version upgrade is available. This value is empty for external devices. (example: false) - **os** (string): The operating system that the device is running. (example: "linux") - **created** (string (date-time)): The date on which the device was added to the tailnet; this is empty for external devices. (example: "2022-12-01T05:23:30Z") - **connectedToControl** (boolean): Indicates if the device recently maintained a TCP connection to the Tailscale control server. (example: true) - **lastSeen** (string (date-time)): When the device was last connected to the Tailscale control server. Omitted if the device has never been online or `connectedToControl` is true. (example: "2022-12-01T05:23:30Z") - **keyExpiryDisabled** (boolean): 'true' if the keys for the device will not expire. Learn more at https://tailscale.com/kb/1028/. (example: false) - **expires** (string (date-time)): The expiration date of the device's auth key. Learn more about key expiry at https://tailscale.com/kb/1028/. (example: "2023-05-30T04:44:05Z") - **authorized** (boolean): 'true' if the device has been authorized to join the tailnet; otherwise, 'false'. Learn more about device authorization at https://tailscale.com/kb/1099/. (example: false) - **isExternal** (boolean): 'true', indicates that a device is not a member of the tailnet, but is shared in to the tailnet; if 'false', the device is a member of the tailnet. Learn more about node sharing at https://tailscale.com/kb/1084/. (example: false) - **multipleConnections** (boolean): 'true', indicates that multiple devices are currently connected using the same node key, which is usually a sign of node state being copied between machines. If only one device is connected using this node's key, the field is omitted. If the number of live connections goes back to 0 or 1, this field is also omitted, meaning it's not sticky. In case an attacker steals node state from a legitimate node, they can mask their activities by not connecting concurrently with the legitimate node. (example: true) - **machineKey** (string): For internal use and is not required for any API operations. This value is empty for external devices. (example: "") - **nodeKey** (string): Mostly for internal use, required for select operations, such as adding a node to a locked tailnet. Learn about tailnet locks at https://tailscale.com/kb/1226/. (example: "nodekey:01234567890abcdef") - **blocksIncomingConnections** (boolean): 'true' if the device is not allowed to accept any connections over Tailscale, including pings. Learn more in the "Allow incoming connections" section of https://tailscale.com/kb/1072/. (example: false) - **enabledRoutes** (array (string)): The subnet routes for this device that have been approved by a tailnet admin. Learn more about subnet routes at https://tailscale.com/kb/1019/. (example: ["10.0.0.0/16","192.168.1.0/24"]) - **advertisedRoutes** (array (string)): The subnets this device requests to expose. Learn more about subnet routes at https://tailscale.com/kb/1019/. (example: ["10.0.0.0/16","192.168.1.0/24"]) - **clientConnectivity** (object): clientConnectivity provides a report on the device's current physical network conditions. (example: {"endpoints":["199.9.14.201:59128","192.68.0.21:59128"],"latency":{"Dallas":{"latencyMs":60.463043},"New York City":{"preferred":true,"latencyMs":31.323811}},"mappingVariesByDestIP":false,"clientSupports":{"hairPinning":null,"ipv6":false,"pcp":false,"pmp":false,"udp":false,"upnp":false}}) - **endpoints** (array (string)): Client's magicsock UDP IP:port endpoints (IPv4 or IPv6). (example: ["199.9.14.201:59128","192.68.0.21:59128"]) - **mappingVariesByDestIP** (boolean): 'true' if the host's NAT mappings vary based on the destination IP. (example: false) - **latency** (object): Map of DERP server locations and their current latency. (example: {"Dallas":{"latencyMs":60.463043},"New York City":{"preferred":true,"latencyMs":31.323811}}) - **clientSupports** (object): Identifies features supported by the client. - **hairPinning** (boolean,null): This information is no longer tracked and will always be null. (example: null) - **ipv6** (boolean,null): 'true' if the device OS supports IPv6, regardless of whether IPv6 internet connectivity is available. (example: false) - **pcp** (boolean,null): 'true' if PCP port-mapping service exists on your router. (example: false) - **pmp** (boolean,null): 'true' if NAT-PMP port-mapping service exists on your router. (example: false) - **udp** (boolean,null): 'true' if UDP traffic is enabled on the current network; if 'false', Tailscale may be unable to make direct connections, and will rely on our DERP servers. (example: false) - **upnp** (boolean,null): 'true' if UPnP port-mapping service exists on your router. (example: false) - **tags** (array (string)): Lets you assign an identity to a device that is separate from human users, and use it as part of an ACL to restrict access. Once a device is tagged, the tag is the owner of that device. A single node can have multiple tags assigned. This value is empty for external devices. Learn more about tags at https://tailscale.com/kb/1068/. (example: ["tag:golink"]) - **tailnetLockError** (string): Indicates an issue with the tailnet lock node-key signature on this device. This field is only populated when tailnet lock is enabled. (example: "") - **tailnetLockKey** (string): The node's tailnet lock key. Every node generates a tailnet lock key (so the value will be present) even if tailnet lock is not enabled. Learn more about tailnet lock at https://tailscale.com/kb/1226/. (example: "") - **sshEnabled** (boolean): 'true' if Tailscale SSH is enabled on this device. Learn more about Tailscale SSH at https://tailscale.com/kb/1193/. (example: false) - **postureIdentity** (object): Contains extra identifiers from the device when the tailnet it is connected to has device posture identification collection enabled. If the device has not opted-in to posture identification collection, this will contain {"disabled": true}. Learn more about posture identity at https://tailscale.com/kb/1326/device-identity. (example: {"serialNumbers":["CP74LFQJXM"]}) - **serialNumbers** (array (string)) (example: ["CP74LFQJXM"]) - **disabled** (boolean) - **isEphemeral** (boolean): 'true' if the device is ephemeral. Learn more about ephemeral nodes at https://tailscale.com/kb/1111/ephemeral-nodes. (example: false) - **distro** (object): distro provides details of the operating system distribution, if available. (example: {"name":"ubuntu","version":"25.04","codeName":"Plucky Puffin"}) - **name** (string): The operating system distribution that the device is running. (example: "ubuntu") - **version** (string): The operating system distribution version that the device is running. (example: "25.04") - **codeName** (string): The operating system distribution code name that the device is running. (example: "Plucky Puffin") #### 400 - Invalid ID supplied. **Error** - **message** (string) (required) #### 404 - Device not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) #### 504 - response **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/device/{deviceId}?fields=all" ``` ``` -------------------------------- ### GET /tailnet/{tailnet}/services/{serviceName}/devices Source: https://api.tailscale.com/api/v2 List all devices that are hosting the specified Service. OAuth Scope: `services`, `devices:core`. ```markdown ### Responses #### 200 - Successful operation. - **hosts** (array (ServiceHostInfo)) Array items: - **stableNodeID** (string): The preferred identifier for a device. (example: "n292kg92CNTRL") - **approvalLevel** (string (not-approved|approved:auto|approved:manual)): The approval level of the device hosting the Service. ("not-approved"|"approved:auto"|"approved:manual") - **configured** (string): The configuration status of the device hosting the Service. (example: "ready") #### 400 - Invalid parameters or no permission to Services. **Error** - **message** (string) (required) #### 403 - Access to the Service or devices is forbidden. **Error** - **message** (string) (required) #### 404 - Service not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) #### 504 - response **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/tailnet/{tailnet}/services/{serviceName}/devices" ``` ``` -------------------------------- ### GET /tailnet/{tailnet}/user-invites Source: https://api.tailscale.com/api/v2 List all open (not yet accepted) user invites to the tailnet. ```markdown ### Responses #### 200 - Successful operation. - Array of UserInvite #### 404 - Tailnet not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/tailnet/{tailnet}/user-invites" ``` ``` -------------------------------- ### GET /device-invites/{deviceInviteId} Source: https://api.tailscale.com/api/v2 Retrieve a specific device invite. OAuth Scope: `device_invites:read`. ```markdown ### Responses #### 200 - Successful operation. **DeviceInvite** - **id** (string): The unique identifier for the invite. Supply this value wherever {deviceInviteId} is indicated in the endpoint. (example: "12346") - **created** (string (date-time)): The creation time of the invite. (example: "2024-04-03T21:38:49.333829261Z") - **tailnetId** (integer (int64)): The ID of the tailnet to which the shared device belongs. (example: 59954) - **deviceId** (integer (int64)): The ID of the device being shared. (example: 11055) - **sharerId** (integer (int64)): The ID of the user who created the share invite. (example: 22012) - **multiUse** (boolean): Specifies whether this device invite can be accepted more than once. (example: false) - **allowExitNode** (boolean): Specifies whether the invited user is able to use the device as an exit node when the device is advertising as one. (example: false) - **email** (string): The email to which the invite was sent. If empty, the invite was not emailed to anyone, but the inviteUrl can be shared manually. (example: "user@example.com") - **lastEmailSentAt** (string (date-time)): The last time the invite was attempted to be sent to Email. Only ever set if `email` is not empty. (example: "2024-04-03T21:38:49.333829261Z") - **inviteUrl** (string): The link to accept the invite. Anyone with this link can accept the invite. It is not restricted to the person to which the invite was emailed. (example: "https://login.tailscale.com/admin/invite/") - **accepted** (boolean): `true` when the share invite has been accepted. (example: false) - **acceptedBy** (object): Set when the invite has been accepted. It holds information about the user who accepted the share invite. - **id** (integer (int64)): The ID of the user who accepted the share invite. (example: 33223) - **loginName** (string): The login name of the user who accepted the share invite. (example: "someone@example.com") - **profilePicUrl** (string): The profile pic URL for the user who accepted the share invite. (example: "") #### 404 - Device invite not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/device-invites/{deviceInviteId}" ``` ``` -------------------------------- ### GET /tailnet/{tailnet}/devices Source: https://api.tailscale.com/api/v2 Lists the devices in a tailnet. OAuth Scope: `devices:core:read`. ```markdown ### Responses #### 200 - Successful operation. - **devices** (array (Device)) Array items: - **addresses** (array (string)): A list of Tailscale IP addresses for the device, including both IPv4 (formatted as 100.x.y.z) and IPv6 (formatted as fd7a:115c:a1e0:a:b:c:d:e) addresses. (example: ["100.87.74.78","fd7a:115c:a1e0:ac82:4843:ca90:697d:c36e"]) - **id** (string): The legacy identifier for a device; you can supply this value wherever {deviceId} is indicated in the endpoint. Note that although "id" is still accepted, "nodeId" is preferred. (example: "92960230385") - **nodeId** (string): The preferred identifier for a device; supply this value wherever {deviceId} is indicated in the endpoint. (example: "n292kg92CNTRL") - **user** (string): The user who registered the node. For untagged nodes, this user is the device owner. (example: "amelie@example.com") - **name** (string): The MagicDNS name of the device. Learn more about MagicDNS at https://tailscale.com/kb/1081/. (example: "pangolin.tailfe8c.ts.net") - **hostname** (string): The machine name in the admin console. Learn more about machine names at https://tailscale.com/kb/1098/. (example: "pangolin") - **clientVersion** (string): The version of the Tailscale client software; this is empty for external devices. (example: "v1.36.0") - **updateAvailable** (boolean): 'true' if a Tailscale client version upgrade is available. This value is empty for external devices. (example: false) - **os** (string): The operating system that the device is running. (example: "linux") - **created** (string (date-time)): The date on which the device was added to the tailnet; this is empty for external devices. (example: "2022-12-01T05:23:30Z") - **connectedToControl** (boolean): Indicates if the device recently maintained a TCP connection to the Tailscale control server. (example: true) - **lastSeen** (string (date-time)): When the device was last connected to the Tailscale control server. Omitted if the device has never been online or `connectedToControl` is true. (example: "2022-12-01T05:23:30Z") - **keyExpiryDisabled** (boolean): 'true' if the keys for the device will not expire. Learn more at https://tailscale.com/kb/1028/. (example: false) - **expires** (string (date-time)): The expiration date of the device's auth key. Learn more about key expiry at https://tailscale.com/kb/1028/. (example: "2023-05-30T04:44:05Z") - **authorized** (boolean): 'true' if the device has been authorized to join the tailnet; otherwise, 'false'. Learn more about device authorization at https://tailscale.com/kb/1099/. (example: false) - **isExternal** (boolean): 'true', indicates that a device is not a member of the tailnet, but is shared in to the tailnet; if 'false', the device is a member of the tailnet. Learn more about node sharing at https://tailscale.com/kb/1084/. (example: false) - **multipleConnections** (boolean): 'true', indicates that multiple devices are currently connected using the same node key, which is usually a sign of node state being copied between machines. If only one device is connected using this node's key, the field is omitted. If the number of live connections goes back to 0 or 1, this field is also omitted, meaning it's not sticky. In case an attacker steals node state from a legitimate node, they can mask their activities by not connecting concurrently with the legitimate node. (example: true) - **machineKey** (string): For internal use and is not required for any API operations. This value is empty for external devices. (example: "") - **nodeKey** (string): Mostly for internal use, required for select operations, such as adding a node to a locked tailnet. Learn about tailnet locks at https://tailscale.com/kb/1226/. (example: "nodekey:01234567890abcdef") - **blocksIncomingConnections** (boolean): 'true' if the device is not allowed to accept any connections over Tailscale, including pings. Learn more in the "Allow incoming connections" section of https://tailscale.com/kb/1072/. (example: false) - **enabledRoutes** (array (string)): The subnet routes for this device that have been approved by a tailnet admin. Learn more about subnet routes at https://tailscale.com/kb/1019/. (example: ["10.0.0.0/16","192.168.1.0/24"]) - **advertisedRoutes** (array (string)): The subnets this device requests to expose. Learn more about subnet routes at https://tailscale.com/kb/1019/. (example: ["10.0.0.0/16","192.168.1.0/24"]) - **clientConnectivity** (object): clientConnectivity provides a report on the device's current physical network conditions. (example: {"endpoints":["199.9.14.201:59128","192.68.0.21:59128"],"latency":{"Dallas":{"latencyMs":60.463043},"New York City":{"preferred":true,"latencyMs":31.323811}},"mappingVariesByDestIP":false,"clientSupports":{"hairPinning":null,"ipv6":false,"pcp":false,"pmp":false,"udp":false,"upnp":false}}) - **endpoints** (array (string)): Client's magicsock UDP IP:port endpoints (IPv4 or IPv6). (example: ["199.9.14.201:59128","192.68.0.21:59128"]) - **mappingVariesByDestIP** (boolean): 'true' if the host's NAT mappings vary based on the destination IP. (example: false) - **latency** (object): Map of DERP server locations and their current latency. (example: {"Dallas":{"latencyMs":60.463043},"New York City":{"preferred":true,"latencyMs":31.323811}}) - **clientSupports** (object): Identifies features supported by the client. - **hairPinning** (boolean,null): This information is no longer tracked and will always be null. (example: null) - **ipv6** (boolean,null): 'true' if the device OS supports IPv6, regardless of whether IPv6 internet connectivity is available. (example: false) - **pcp** (boolean,null): 'true' if PCP port-mapping service exists on your router. (example: false) - **pmp** (boolean,null): 'true' if NAT-PMP port-mapping service exists on your router. (example: false) - **udp** (boolean,null): 'true' if UDP traffic is enabled on the current network; if 'false', Tailscale may be unable to make direct connections, and will rely on our DERP servers. (example: false) - **upnp** (boolean,null): 'true' if UPnP port-mapping service exists on your router. (example: false) - **tags** (array (string)): Lets you assign an identity to a device that is separate from human users, and use it as part of an ACL to restrict access. Once a device is tagged, the tag is the owner of that device. A single node can have multiple tags assigned. This value is empty for external devices. Learn more about tags at https://tailscale.com/kb/1068/. (example: ["tag:golink"]) - **tailnetLockError** (string): Indicates an issue with the tailnet lock node-key signature on this device. This field is only populated when tailnet lock is enabled. (example: "") - **tailnetLockKey** (string): The node's tailnet lock key. Every node generates a tailnet lock key (so the value will be present) even if tailnet lock is not enabled. Learn more about tailnet lock at https://tailscale.com/kb/1226/. (example: "") - **sshEnabled** (boolean): 'true' if Tailscale SSH is enabled on this device. Learn more about Tailscale SSH at https://tailscale.com/kb/1193/. (example: false) - **postureIdentity** (object): Contains extra identifiers from the device when the tailnet it is connected to has device posture identification collection enabled. If the device has not opted-in to posture identification collection, this will contain {"disabled": true}. Learn more about posture identity at https://tailscale.com/kb/1326/device-identity. (example: {"serialNumbers":["CP74LFQJXM"]}) - **serialNumbers** (array (string)) (example: ["CP74LFQJXM"]) - **disabled** (boolean) - **isEphemeral** (boolean): 'true' if the device is ephemeral. Learn more about ephemeral nodes at https://tailscale.com/kb/1111/ephemeral-nodes. (example: false) - **distro** (object): distro provides details of the operating system distribution, if available. (example: {"name":"ubuntu","version":"25.04","codeName":"Plucky Puffin"}) - **name** (string): The operating system distribution that the device is running. (example: "ubuntu") - **version** (string): The operating system distribution version that the device is running. (example: "25.04") - **codeName** (string): The operating system distribution code name that the device is running. (example: "Plucky Puffin") #### 404 - Tailnet not found. **Error** - **message** (string) (required) #### 500 - response **Error** - **message** (string) (required) #### 504 - Request took too long to process, please try again later. **Error** - **message** (string) (required) ### Example Usage ```bash curl -X GET "https://api.tailscale.com/api/v2/tailnet/{tailnet}/devices" ``` ```