Tailscale

The [tailscale] section controls how Waypoint joins the tailnet as a tsnet node. ✓

[tailscale]
hostname = "waypoint-db"
state_dir = "/var/lib/waypoint/tsnet"
# auth_key = "${TS_AUTHKEY}"
# control_url = "https://controlplane.tailscale.com"
# ephemeral = false
# advertise_tags = ["tag:waypoint"]

hostname

The MagicDNS name Waypoint registers as. Clients reach Waypoint at <hostname>.<tailnet>.ts.net.

state_dir

Where tsnet persists its node state (keys, peer cache). Treat it as durable storage; losing it forces re-authentication.

Authentication

Pick one of three methods:

Auth key

auth_key = "${TS_AUTHKEY}"

Or set TS_AUTHKEY in the environment. ✓ The key should be tagged with the same tag the node will advertise (e.g. tag:waypoint). ✓

OAuth client credentials

client_secret = "${TS_CLIENT_SECRET}"
advertise_tags = ["tag:waypoint"]

Requires advertise_tags. ✓ The OAuth client’s owner must be allowed to assert those tags. ✓

Workload Identity Federation

For workloads with federated identity (GCP, GitHub Actions, etc.):

client_id = "your-client-id"
id_token = "${WIF_ID_TOKEN}"
audience = "https://login.tailscale.com"
advertise_tags = ["tag:waypoint"]

WIF requires client_id ✓ and advertise_tags. ✓ Pick exactly one authentication method — combining auth key with OAuth or WIF is rejected at load. ✓

ephemeral

When true, the tsnet node is removed from the tailnet when Waypoint exits. Use for short-lived test instances; leave false for long-running deployments so state stays predictable across restarts.