Tailscale

Connect Tailscale to Ploy to manage users and groups via Tailscale ACL files. Ploy imports your Tailscale users, reads group memberships from your ACL policy, and can update user roles and group assignments.

Prerequisites

• Admin access to your Tailscale tailnet.

• An OAuth client in Tailscale with access to read users and manage ACLs.

Get your Tailscale credentials

In the Tailscale admin console, create an OAuth client for Ploy or use an existing one that has access to your tailnet. Copy the following values:

• Tailnet DNS name — the name shown in the Tailscale admin console under Settings → General → Tailnet name. It looks like example.com.

• Client ID — the OAuth client ID.

• Client Secret — the OAuth client secret.

Connect in Ploy

1. In Ploy, go to Integrations and select Tailscale.

2. Enter your Tailnet Name.

3. Enter your Client ID.

4. Enter your Client Secret.

5. Save and test the connection.

What Ploy syncs

• Users — including display name, login name, role, status, device count, last seen time, and current connection status.

• Groups — group names and memberships from your ACL policy.

• Roles — owner, admin, member, it-admin, network-admin, billing-admin, and auditor.

What you can automate

• Change a user's role in Tailscale.

• Manage group memberships by updating Tailscale ACL files.

Limitations and caveats

• Removing a role in Ploy demotes the user to member. It does not delete the user from Tailscale.

• ACL updates use ETag-based locking. Simultaneous changes to the same tailnet's ACL can conflict.

Troubleshooting