Configuration

Required

• HEADSCALE_ADDR: Headscale gRPC address (example: headscale:50443)
• HEADSCALE_API_KEY: Headscale API key
• OAUTH_CLIENT_ID: OAuth client id for callers
• OAUTH_CLIENT_SECRET: OAuth client secret for callers
• OAUTH_HMAC_SECRET: secret for signing bearer tokens

Common optional

• TAILNET_NAME (default -): user scope for key operations
• LISTEN_ADDR (default :8080): bind address
• TLS_CERT, TLS_KEY: enable HTTPS listener
• LOG_LEVEL (default info)
• ENVIRONMENT (default production)

Replica note

Current OAuth bearer token validation is in-memory by default. For reliable operation, run a single replica or ensure sticky routing for token issuance and subsequent API calls.