{"slug":"jit-access-with-opal","title":"JIT access with Opal","tags":["tailscale","access-control"],"agent_summary":"Last validated: Jan 5, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# JIT access with Opal\r\n\r\nLast validated: Jan 5, 2026\r\n\r\n[Opal](https://opal.dev/) is a centralized authorization platform for IT and infrastructure teams to make access\r\nmanagement requests self-service.\r\n\r\nOn-demand access to Tailscale resources can be provisioned using Opal. This works by adding and\r\nremoving members from [SSH access rules](https://tailscale.com/docs/reference/syntax/policy-file#ssh)\r\nfor [tags](https://tailscale.com/docs/features/tags) in Tailscale [access control policies](https://tailscale.com/docs/features/access-control).\r\n\r\nYou can use Opal with [user & group provisioning](https://tailscale.com/docs/features/user-group-provisioning) to update [SCIM-integrated](https://tailscale.com/learn/what-is-scim) group membership in groups used in\r\nTailscale access control policies. Likewise, you can use Opal to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.\r\n\r\n## [Prerequisites](https://tailscale.com/docs/integrations/jit-opal\\#prerequisites)\r\n\r\nBefore you begin this guide, you'll need a tailnet and an Opal account.\r\n\r\n- For information about creating a tailnet, refer to the [Tailscale quickstart](https://tailscale.com/docs/how-to/quickstart).\r\n\r\n- For information about creating an Opal account, refer to the [Opal](https://opal.dev/) documentation.\r\n\r\n\r\n## [Integration](https://tailscale.com/docs/integrations/jit-opal\\#integration)\r\n\r\nRefer to the full instructions in Opal's [blog post](https://www.opal.dev/blog/tailscale) for setting up an integration with Tailscale.\r\n\r\nTo use Opal with Tailscale, you'll need to:\r\n\r\n1. Generate a Tailscale [API access token](https://tailscale.com/docs/reference/tailscale-api) from the [Keys](https://login.tailscale.com/admin/settings/keys) page of the admin console.\r\n2. In Opal, [add Tailscale as a new application](https://app.opal.dev/apps/create/tailscale).\r\n1. Set the **App Admin** to the team that should manage the Tailscale app in Opal.\r\n2. Enter a **Description** of how you use Tailscale, so colleagues know what they're requesting access to. For example,\r\n      \"SSH access to the production network\".\r\n3. Set the **Tailnet name** to be your tailnet ID. You can find your tailnet ID in the [General](https://login.tailscale.com/admin/settings/general) page of the admin console.\r\n4. Set the **Tailscale API key** to the Tailscale API access token you generated.\r\n3. Determine which Tailscale [tags](https://tailscale.com/docs/features/tags) should be imported into Opal. This is done by the App Admin. For each\r\ntag that is selected, Opal will automatically parse the existing [access rules](https://tailscale.com/docs/reference/syntax/policy-file#acls) and\r\n[SSH access rules](https://tailscale.com/docs/reference/syntax/policy-file#ssh) that apply to that tag, and which [groups](https://tailscale.com/docs/reference/syntax/policy-file#groups) have access to the tagged\r\nsources using those rules.\r\n\r\nNow a user can request access or SSH access to a specific tag in Tailscale, and Opal will update the [tailnet policy file](https://tailscale.com/docs/reference/syntax/policy-file) to allow the temporary access.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>JIT access with Opal</h1>\n<p>Last validated: Jan 5, 2026</p>\n<p><a href=\"https://opal.dev/\">Opal</a> is a centralized authorization platform for IT and infrastructure teams to make access\r\nmanagement requests self-service.</p>\n<p>On-demand access to Tailscale resources can be provisioned using Opal. This works by adding and\r\nremoving members from <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH access rules</a>\r\nfor <a href=\"https://tailscale.com/docs/features/tags\">tags</a> in Tailscale <a href=\"https://tailscale.com/docs/features/access-control\">access control policies</a>.</p>\n<p>You can use Opal with <a href=\"https://tailscale.com/docs/features/user-group-provisioning\">user &#x26; group provisioning</a> to update <a href=\"https://tailscale.com/learn/what-is-scim\">SCIM-integrated</a> group membership in groups used in\r\nTailscale access control policies. Likewise, you can use Opal to assign a user to the Tailscale application, with the user synced through SCIM to your Tailscale network.</p>\n<h2><a href=\"https://tailscale.com/docs/integrations/jit-opal#prerequisites\">Prerequisites</a></h2>\n<p>Before you begin this guide, you'll need a tailnet and an Opal account.</p>\n<ul>\n<li>\n<p>For information about creating a tailnet, refer to the <a href=\"https://tailscale.com/docs/how-to/quickstart\">Tailscale quickstart</a>.</p>\n</li>\n<li>\n<p>For information about creating an Opal account, refer to the <a href=\"https://opal.dev/\">Opal</a> documentation.</p>\n</li>\n</ul>\n<h2><a href=\"https://tailscale.com/docs/integrations/jit-opal#integration\">Integration</a></h2>\n<p>Refer to the full instructions in Opal's <a href=\"https://www.opal.dev/blog/tailscale\">blog post</a> for setting up an integration with Tailscale.</p>\n<p>To use Opal with Tailscale, you'll need to:</p>\n<ol>\n<li>Generate a Tailscale <a href=\"https://tailscale.com/docs/reference/tailscale-api\">API access token</a> from the <a href=\"https://login.tailscale.com/admin/settings/keys\">Keys</a> page of the admin console.</li>\n<li>In Opal, <a href=\"https://app.opal.dev/apps/create/tailscale\">add Tailscale as a new application</a>.</li>\n<li>Set the <strong>App Admin</strong> to the team that should manage the Tailscale app in Opal.</li>\n<li>Enter a <strong>Description</strong> of how you use Tailscale, so colleagues know what they're requesting access to. For example,\r\n\"SSH access to the production network\".</li>\n<li>Set the <strong>Tailnet name</strong> to be your tailnet ID. You can find your tailnet ID in the <a href=\"https://login.tailscale.com/admin/settings/general\">General</a> page of the admin console.</li>\n<li>Set the <strong>Tailscale API key</strong> to the Tailscale API access token you generated.</li>\n<li>Determine which Tailscale <a href=\"https://tailscale.com/docs/features/tags\">tags</a> should be imported into Opal. This is done by the App Admin. For each\r\ntag that is selected, Opal will automatically parse the existing <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#acls\">access rules</a> and\r\n<a href=\"https://tailscale.com/docs/reference/syntax/policy-file#ssh\">SSH access rules</a> that apply to that tag, and which <a href=\"https://tailscale.com/docs/reference/syntax/policy-file#groups\">groups</a> have access to the tagged\r\nsources using those rules.</li>\n</ol>\n<p>Now a user can request access or SSH access to a specific tag in Tailscale, and Opal will update the <a href=\"https://tailscale.com/docs/reference/syntax/policy-file\">tailnet policy file</a> to allow the temporary access.</p>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}