gateway.auth.allowTailscale: true not working in Serve mode
Summary
When using Tailscale Serve with token auth enabled, setting gateway.auth.allowTailscale: true does not bypass token authentication for Tailscale clients as documented.
Expected Behavior
Per the docs:
"the gateway trusts Tailscale identity headers by default unless you force gateway.auth.mode to password or set gateway.auth.allowTailscale: false"
Connections via Tailscale Serve should be authenticated via Tailscale identity headers when allowTailscale: true.
Actual Behavior
Connections are rejected with 1008 unauthorized even when allowTailscale: true is set.
Gateway logs show:
{
"authMode": "token",
"authProvided": "none",
"authReason": "token_missing",
"allowTailscale": true
}The allowTailscale: true is being read from config but not honored - connections still fail with token_missing.
Configuration
{
"gateway": {
"port": 18789,
"mode": "local",
"bind": "loopback",
"auth": {
"mode": "token",
"token": "xxx",
"allowTailscale": true
},
"tailscale": {
"mode": "serve",
"resetOnExit": false
}
}
}Environment
- Clawdbot version: 2026.1.11-4
- macOS (Darwin 25.0.0)
- Tailscale Serve confirmed working:
https://ai-hub.bone-egret.ts.net proxies to http://127.0.0.1:18789
- Clients are on the same Tailnet (confirmed via
fwd=100.x.x.x IPs in logs)
Workaround
Remove gateway.auth entirely to rely on Tailnet membership for security:
{
"gateway": {
"port": 18789,
"mode": "local",
"bind": "loopback",
"tailscale": {
"mode": "serve"
}
}
}Additional Context
Tailscale Serve is correctly forwarding requests (identity headers should be present):
$ tailscale serve status
https://ai-hub.bone-egret.ts.net (tailnet only)
|-- / proxy http://127.0.0.1:18789
The issue may be that:
- Tailscale identity headers aren't being parsed/trusted
- The
allowTailscale logic isn't being applied before token validation
- Headers are present but not in the expected format
gateway.auth.allowTailscale: truenot working in Serve modeSummary
When using Tailscale Serve with token auth enabled, setting
gateway.auth.allowTailscale: truedoes not bypass token authentication for Tailscale clients as documented.Expected Behavior
Per the docs:
Connections via Tailscale Serve should be authenticated via Tailscale identity headers when
allowTailscale: true.Actual Behavior
Connections are rejected with
1008 unauthorizedeven whenallowTailscale: trueis set.Gateway logs show:
{ "authMode": "token", "authProvided": "none", "authReason": "token_missing", "allowTailscale": true }The
allowTailscale: trueis being read from config but not honored - connections still fail withtoken_missing.Configuration
{ "gateway": { "port": 18789, "mode": "local", "bind": "loopback", "auth": { "mode": "token", "token": "xxx", "allowTailscale": true }, "tailscale": { "mode": "serve", "resetOnExit": false } } }Environment
https://ai-hub.bone-egret.ts.netproxies tohttp://127.0.0.1:18789fwd=100.x.x.xIPs in logs)Workaround
Remove
gateway.authentirely to rely on Tailnet membership for security:{ "gateway": { "port": 18789, "mode": "local", "bind": "loopback", "tailscale": { "mode": "serve" } } }Additional Context
Tailscale Serve is correctly forwarding requests (identity headers should be present):
The issue may be that:
allowTailscalelogic isn't being applied before token validation