Tailscale-native auth
Identifies callers via tsnet and WhoIs, evaluates capability grants from your ACL policy.
Waypoint
Identity-based database access on your tailnet — no passwords on the client.
What is Waypoint?
Section titled “What is Waypoint?”Waypoint is a database proxy that sits on your tailnet between clients and backend databases. It authenticates every connection using the caller’s Tailscale identity, checks ACL capability grants (redo.com/cap/waypoint), and dynamically provisions scoped backend users — so clients never need passwords or static credentials.
Postgres mode
Intercepts the PG wire protocol; provisions per-user roles with scoped GRANTs and TTL-based cleanup.
MongoDB mode
Provisions scoped MongoDB users (or selects pre-created static users on Atlas); rewrites replica-set topology so clients stay on the proxy.
TCP mode
Transparent L4 proxy for any TCP backend — MySQL, Redis, anything else.
Per-user limits
Concurrent connection caps, byte budgets, and duration ceilings — enforced cross-instance via Redis.
OpenTelemetry
Opt-in metrics and traces over OTLP, with per-metric tag allow-lists.
Where to go next
Section titled “Where to go next”- New here? Start with Installation and the Quickstart.
- Setting up a listener? See Postgres, MongoDB, or TCP.
- Wiring up ACL grants? Read Capability Grants.
- Running in production? See Observability and Operations.