Connect a private network with Tailscale
Give your AI employee secure access to servers, databases, or ERPs that live behind your firewall — without exposing them to the public internet.
Tailscale admin consoleWhy we ask for this
Your AI employee runs in an isolated cloud container. By default that container can only reach the public internet — it has no route to a database or ERP sitting inside your office or private cloud.
Tailscale builds a private, end-to-end-encrypted mesh (a "tailnet") between machines you own. When your workroom joins your tailnet with this key, it can reach those internal services by their private address — and nothing is exposed publicly.
We never store the key in the container image. It is held as an encrypted secret and injected only at session start, so it is revocable from the Tailscale console at any time.
Where to get your auth key
- 1Sign in to the Tailscale admin console at admin.tailscale.com.
- 2Open Settings → Keys, then click "Generate auth key".
- 3Mark it Reusable (and optionally Ephemeral so the node auto-removes when idle).
- 4Add a tag such as tag:ai-employee so you can scope what it can reach.
- 5Copy the key — it starts with "tskey-auth-". You only see it once.
- 6Paste it into the Auth Key field, then enter the internal hostname or 100.x.y.z address of the service to reach.
The auth key
The auth key authorises a new machine (your workroom) to join your tailnet. Use a Reusable key so the workroom can reconnect across sessions, and tag it so ACLs limit it to only the services it needs.
Revoke a key at any time from Settings → Keys — the workroom immediately loses access.
Target hostname
This is the machine on your tailnet that the AI employee should talk to — for example erp-server, or its Tailscale IP like 100.101.102.103.
You can find both in the Machines tab of the admin console once the device is connected.