{"slug":"what-is-aperture","title":"What is Aperture?","tags":["tailscale"],"agent_summary":"Last validated: Apr 9, 2026","trigger_phrases":[],"runnable":false,"markdown":"\r\n# What is Aperture?\r\n\r\nLast validated: Apr 9, 2026\r\n\r\nAperture by Tailscaleis currently [in alpha](https://tailscale.com/docs/reference/tailscale-release-stages#alpha).\r\n\r\nAs organizations adopt AI across development, automation, and internal tools, they face new challenges around security, visibility, and control. API keys are often scattered across developer devices, CI/CD (continuous integration/continuous delivery) systems, and automated agents, increasing the risk of leaks and making credentials difficult to rotate or audit. Teams lack clear insight into who is using which models, how frequently, and at what cost. This makes it difficult for security, platform, and compliance teams to support AI usage at scale without slowing developers down.\r\n\r\nAperture by Tailscale addresses these challenges with a centralized AI gateway that secures, monitors, and routes LLM requests across your organization. Aperture uses [Tailscale's identity layer](https://tailscale.com/docs/concepts/tailscale-identity) to automatically authenticate users, eliminating the need to distribute API keys. It injects provider credentials for users and automated agents and routes requests to upstream LLM providers such as OpenAI, Anthropic, and Google, without requiring changes to existing tools or workflows.\r\n\r\n## [Use cases](https://tailscale.com/docs/aperture/what-is-aperture\\#use-cases)\r\n\r\nAperture addresses common challenges organizations face when adopting LLM clients.\r\n\r\n- **Centralized API key management**\r\n\r\nDistributing API keys to developers creates security risks and an administrative burden. Keys get committed to repositories, shared insecurely, or forgotten when employees leave.\r\n\r\nAperture centralizes API keys in the [server configuration](https://tailscale.com/docs/aperture/configuration). Clients connect through the proxy without needing provider credentials. User identity comes from Tailscale's identity layer, which automatically identifies users based on their device.\r\n\r\n- **Visibility into LLM usage**\r\n\r\nGain visibility into how engineering teams adopt LLM-powered tools. Aperture lets you answer questions such as:\r\n\r\n\r\n  - How many tokens did we use last month?\r\n  - Which models are teams using?\r\n  - What does the breakdown of our LLM spend look like?\r\n\r\nAperture captures every request with user attribution, model identification, and token counts. The [Aperture dashboard](https://tailscale.com/docs/aperture/reference/dashboard) aggregates this data by user, model, and time period.\r\n\r\n- **Cost tracking**\r\n\r\nLLM API costs scale with token usage, but tracking consumption across tools and providers requires aggregating data from each source individually. Developers might not realize how much their workflows cost, and finance teams lack the data to forecast budgets.\r\n\r\nAperture extracts token usage from every response, including input, output, cached, and reasoning tokens. This data feeds into dashboards and [exports](https://tailscale.com/docs/aperture/how-to/export-usage-data-to-s3) for cost analysis. You can also [set budgets and per-user spending limits](https://tailscale.com/docs/aperture/manage-spending) to prevent cost overruns.\r\n\r\n- **Adoption analytics**\r\n\r\nGather adoption insights and answer questions such as:\r\n\r\n\r\n  - Which teams are using the tools? How frequently?\r\n  - Are there users who tried a tool one time and stopped?\r\n\r\nThe [**Adoption** page](https://tailscale.com/docs/aperture/reference/dashboard) of the Aperture dashboard shows organization-wide usage patterns, active users over time, and histograms of usage distribution.\r\n\r\n- **Compliance and audit trails**\r\n\r\nRegulated industries require audit trails for AI interactions. When LLM requests flow directly from client to provider, organizations have no record of what was sent or received.\r\n\r\nAperture stores full request and response bodies. The capture system preserves headers, payloads, and tool use data. [Export logs and events](https://tailscale.com/docs/aperture/how-to/export-usage-data-to-s3) to your SIEM for monitoring, retention, and compliance workflows.\r\n\r\n- **LLM session debugging**\r\n\r\nDebug LLM interactions by reviewing full request and response data. The **Logs** page of the Aperture dashboard groups related requests into sessions, letting you trace the flow of a conversation or coding task.\r\n\r\n\r\n## [Limitations](https://tailscale.com/docs/aperture/what-is-aperture\\#limitations)\r\n\r\nConsider the following limitations before deployment. Tailscale is actively developing Aperture, so this list updates frequently.\r\n\r\n- **Tailscale requirement**\r\n\r\nThe Aperture server runs on a Tailscale network. Clients can connect from inside the tailnet or from outside it using [ts-unplug](https://github.com/tailscale/ts-plug). Both paths provide Tailscale-based identity. Direct public internet access is not supported.\r\n\r\n- **Provider support**\r\n\r\nMetrics extraction relies on parsing provider response formats. Aperture handles OpenAI, Anthropic, Gemini, and OpenAI-compatible APIs. Refer to the [provider compatibility reference](https://tailscale.com/docs/aperture/provider-compatibility) for details. New providers or format changes might require updates.\r\n\r\n- **No request modification**\r\n\r\nAperture captures and forwards requests without modification (except authentication headers). Aperture does not yet support request filtering or prompt injection detection.\r\n\r\n- **Quota buckets reset on restart**\r\n\r\nAperture stores quota buckets in memory. When the configuration reloads or the process restarts, every bucket resets to full capacity. Plan quota capacities and refill rates with this behavior in mind.\r\n\r\n- **Subscription plans not supported**\r\n\r\nAperture authenticates with LLM providers using API keys from provider developer platforms. Consumer and business subscription plans — such as [Claude Pro or Claude Max](https://www.anthropic.com/pricing), [ChatGPT Plus, Pro, or Team](https://openai.com/chatgpt/pricing), or [Gemini Advanced](https://gemini.google.com/) — are separate from provider API access and do not provide API keys compatible with Aperture.\r\n\r\n\r\n## [FAQ](https://tailscale.com/docs/aperture/what-is-aperture\\#faq)\r\n\r\n**What happens if a user tries to connect from outside the tailnet?**\r\n\r\nUsers outside the tailnet can [connect through ts-unplug](https://tailscale.com/docs/aperture/get-started#enable-aperture-without-a-tailnet), which creates a lightweight tailnet node and proxies local traffic to Aperture. Without ts-unplug, the connection fails at the network level because Aperture listens on Tailscale interfaces.\r\n\r\n**What happens when I add a new LLM provider to the configuration?**\r\n\r\nClients can immediately use models from that provider by specifying the model name in their requests. No client changes are required because the proxy routes based on model name.\r\n\r\n**What happens if a streaming response is interrupted mid-stream?**\r\n\r\nThe proxy captures whatever data arrived before the interruption. Metrics extraction might fail or report partial data, but the proxy stores the partial capture for debugging.\r\n\r\n**Do clients need API keys to use Aperture?**\r\n\r\nNo. Aperture identifies users through Tailscale and injects provider API keys automatically. Clients connect without credentials.\r\n\r\n**Can I use my Claude Max, ChatGPT Plus, or other subscription plan with Aperture?**\r\n\r\nNo. Aperture requires API keys from provider developer platforms. Consumer and business subscription plans — such as [Claude Pro or Claude Max](https://www.anthropic.com/pricing), [ChatGPT Plus, Pro, or Team](https://openai.com/chatgpt/pricing), or [Gemini Advanced](https://gemini.google.com/) — are separate from provider API access and do not provide API keys compatible with Aperture. Obtain API keys from the provider's developer platform (for example, the [Anthropic Console](https://console.anthropic.com/), [OpenAI Platform](https://platform.openai.com/), or [Google AI Studio](https://aistudio.google.com/)).\r\n\r\n**Can I use Aperture with providers not listed in the documentation?**\r\n\r\nYes, if the provider uses an OpenAI-compatible API format. Configure it as a provider with `openai_chat: true` compatibility and the appropriate authorization type.\r\n\r\n**Can I use Aperture with self-hosted LLMs?**\r\n\r\nYes, you can proxy self-hosted LLMs with Aperture without exposing the endpoints to the public internet.\r\n\r\n**Can I use Aperture in CI/CD environments, such as GitHub Actions?**\r\n\r\nYes, as long as you can run Tailscale. Aperture works in common containerized environments such as GitHub Actions without needing to expose either the agent or the gateway to the public internet.\r\n\r\n**Can I use Aperture with several tailnets?**\r\n\r\nYes, you can [connect to Aperture from another tailnet](https://tailscale.com/docs/aperture/get-started#enable-aperture-without-a-tailnet) using [ts-unplug](https://github.com/tailscale/ts-plug). You can also use ts-unplug to connect from environments that aren't on a tailnet at all.\r\n\r\n## [Learn more](https://tailscale.com/docs/aperture/what-is-aperture\\#learn-more)\r\n\r\n- [How Aperture works](https://tailscale.com/docs/aperture/how-aperture-works): identity and authentication, request routing by model, telemetry capture, and session tracking.\r\n- [Get started with Aperture](https://tailscale.com/docs/aperture/get-started): sign up, configure providers, and connect your first LLM client.\r\n\r\n![Project Logo](https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed)\r\n\r\nAsk AI\r\n\r\nreCAPTCHA\r\n\r\nRecaptcha requires verification.\r\n\r\nprotected by **reCAPTCHA**\r\n","html":"<h1>What is Aperture?</h1>\n<p>Last validated: Apr 9, 2026</p>\n<p>Aperture by Tailscaleis currently <a href=\"https://tailscale.com/docs/reference/tailscale-release-stages#alpha\">in alpha</a>.</p>\n<p>As organizations adopt AI across development, automation, and internal tools, they face new challenges around security, visibility, and control. API keys are often scattered across developer devices, CI/CD (continuous integration/continuous delivery) systems, and automated agents, increasing the risk of leaks and making credentials difficult to rotate or audit. Teams lack clear insight into who is using which models, how frequently, and at what cost. This makes it difficult for security, platform, and compliance teams to support AI usage at scale without slowing developers down.</p>\n<p>Aperture by Tailscale addresses these challenges with a centralized AI gateway that secures, monitors, and routes LLM requests across your organization. Aperture uses <a href=\"https://tailscale.com/docs/concepts/tailscale-identity\">Tailscale's identity layer</a> to automatically authenticate users, eliminating the need to distribute API keys. It injects provider credentials for users and automated agents and routes requests to upstream LLM providers such as OpenAI, Anthropic, and Google, without requiring changes to existing tools or workflows.</p>\n<h2><a href=\"https://tailscale.com/docs/aperture/what-is-aperture#use-cases\">Use cases</a></h2>\n<p>Aperture addresses common challenges organizations face when adopting LLM clients.</p>\n<ul>\n<li><strong>Centralized API key management</strong></li>\n</ul>\n<p>Distributing API keys to developers creates security risks and an administrative burden. Keys get committed to repositories, shared insecurely, or forgotten when employees leave.</p>\n<p>Aperture centralizes API keys in the <a href=\"https://tailscale.com/docs/aperture/configuration\">server configuration</a>. Clients connect through the proxy without needing provider credentials. User identity comes from Tailscale's identity layer, which automatically identifies users based on their device.</p>\n<ul>\n<li><strong>Visibility into LLM usage</strong></li>\n</ul>\n<p>Gain visibility into how engineering teams adopt LLM-powered tools. Aperture lets you answer questions such as:</p>\n<ul>\n<li>How many tokens did we use last month?</li>\n<li>Which models are teams using?</li>\n<li>What does the breakdown of our LLM spend look like?</li>\n</ul>\n<p>Aperture captures every request with user attribution, model identification, and token counts. The <a href=\"https://tailscale.com/docs/aperture/reference/dashboard\">Aperture dashboard</a> aggregates this data by user, model, and time period.</p>\n<ul>\n<li><strong>Cost tracking</strong></li>\n</ul>\n<p>LLM API costs scale with token usage, but tracking consumption across tools and providers requires aggregating data from each source individually. Developers might not realize how much their workflows cost, and finance teams lack the data to forecast budgets.</p>\n<p>Aperture extracts token usage from every response, including input, output, cached, and reasoning tokens. This data feeds into dashboards and <a href=\"https://tailscale.com/docs/aperture/how-to/export-usage-data-to-s3\">exports</a> for cost analysis. You can also <a href=\"https://tailscale.com/docs/aperture/manage-spending\">set budgets and per-user spending limits</a> to prevent cost overruns.</p>\n<ul>\n<li><strong>Adoption analytics</strong></li>\n</ul>\n<p>Gather adoption insights and answer questions such as:</p>\n<ul>\n<li>Which teams are using the tools? How frequently?</li>\n<li>Are there users who tried a tool one time and stopped?</li>\n</ul>\n<p>The <a href=\"https://tailscale.com/docs/aperture/reference/dashboard\"><strong>Adoption</strong> page</a> of the Aperture dashboard shows organization-wide usage patterns, active users over time, and histograms of usage distribution.</p>\n<ul>\n<li><strong>Compliance and audit trails</strong></li>\n</ul>\n<p>Regulated industries require audit trails for AI interactions. When LLM requests flow directly from client to provider, organizations have no record of what was sent or received.</p>\n<p>Aperture stores full request and response bodies. The capture system preserves headers, payloads, and tool use data. <a href=\"https://tailscale.com/docs/aperture/how-to/export-usage-data-to-s3\">Export logs and events</a> to your SIEM for monitoring, retention, and compliance workflows.</p>\n<ul>\n<li><strong>LLM session debugging</strong></li>\n</ul>\n<p>Debug LLM interactions by reviewing full request and response data. The <strong>Logs</strong> page of the Aperture dashboard groups related requests into sessions, letting you trace the flow of a conversation or coding task.</p>\n<h2><a href=\"https://tailscale.com/docs/aperture/what-is-aperture#limitations\">Limitations</a></h2>\n<p>Consider the following limitations before deployment. Tailscale is actively developing Aperture, so this list updates frequently.</p>\n<ul>\n<li><strong>Tailscale requirement</strong></li>\n</ul>\n<p>The Aperture server runs on a Tailscale network. Clients can connect from inside the tailnet or from outside it using <a href=\"https://github.com/tailscale/ts-plug\">ts-unplug</a>. Both paths provide Tailscale-based identity. Direct public internet access is not supported.</p>\n<ul>\n<li><strong>Provider support</strong></li>\n</ul>\n<p>Metrics extraction relies on parsing provider response formats. Aperture handles OpenAI, Anthropic, Gemini, and OpenAI-compatible APIs. Refer to the <a href=\"https://tailscale.com/docs/aperture/provider-compatibility\">provider compatibility reference</a> for details. New providers or format changes might require updates.</p>\n<ul>\n<li><strong>No request modification</strong></li>\n</ul>\n<p>Aperture captures and forwards requests without modification (except authentication headers). Aperture does not yet support request filtering or prompt injection detection.</p>\n<ul>\n<li><strong>Quota buckets reset on restart</strong></li>\n</ul>\n<p>Aperture stores quota buckets in memory. When the configuration reloads or the process restarts, every bucket resets to full capacity. Plan quota capacities and refill rates with this behavior in mind.</p>\n<ul>\n<li><strong>Subscription plans not supported</strong></li>\n</ul>\n<p>Aperture authenticates with LLM providers using API keys from provider developer platforms. Consumer and business subscription plans — such as <a href=\"https://www.anthropic.com/pricing\">Claude Pro or Claude Max</a>, <a href=\"https://openai.com/chatgpt/pricing\">ChatGPT Plus, Pro, or Team</a>, or <a href=\"https://gemini.google.com/\">Gemini Advanced</a> — are separate from provider API access and do not provide API keys compatible with Aperture.</p>\n<h2><a href=\"https://tailscale.com/docs/aperture/what-is-aperture#faq\">FAQ</a></h2>\n<p><strong>What happens if a user tries to connect from outside the tailnet?</strong></p>\n<p>Users outside the tailnet can <a href=\"https://tailscale.com/docs/aperture/get-started#enable-aperture-without-a-tailnet\">connect through ts-unplug</a>, which creates a lightweight tailnet node and proxies local traffic to Aperture. Without ts-unplug, the connection fails at the network level because Aperture listens on Tailscale interfaces.</p>\n<p><strong>What happens when I add a new LLM provider to the configuration?</strong></p>\n<p>Clients can immediately use models from that provider by specifying the model name in their requests. No client changes are required because the proxy routes based on model name.</p>\n<p><strong>What happens if a streaming response is interrupted mid-stream?</strong></p>\n<p>The proxy captures whatever data arrived before the interruption. Metrics extraction might fail or report partial data, but the proxy stores the partial capture for debugging.</p>\n<p><strong>Do clients need API keys to use Aperture?</strong></p>\n<p>No. Aperture identifies users through Tailscale and injects provider API keys automatically. Clients connect without credentials.</p>\n<p><strong>Can I use my Claude Max, ChatGPT Plus, or other subscription plan with Aperture?</strong></p>\n<p>No. Aperture requires API keys from provider developer platforms. Consumer and business subscription plans — such as <a href=\"https://www.anthropic.com/pricing\">Claude Pro or Claude Max</a>, <a href=\"https://openai.com/chatgpt/pricing\">ChatGPT Plus, Pro, or Team</a>, or <a href=\"https://gemini.google.com/\">Gemini Advanced</a> — are separate from provider API access and do not provide API keys compatible with Aperture. Obtain API keys from the provider's developer platform (for example, the <a href=\"https://console.anthropic.com/\">Anthropic Console</a>, <a href=\"https://platform.openai.com/\">OpenAI Platform</a>, or <a href=\"https://aistudio.google.com/\">Google AI Studio</a>).</p>\n<p><strong>Can I use Aperture with providers not listed in the documentation?</strong></p>\n<p>Yes, if the provider uses an OpenAI-compatible API format. Configure it as a provider with <code>openai_chat: true</code> compatibility and the appropriate authorization type.</p>\n<p><strong>Can I use Aperture with self-hosted LLMs?</strong></p>\n<p>Yes, you can proxy self-hosted LLMs with Aperture without exposing the endpoints to the public internet.</p>\n<p><strong>Can I use Aperture in CI/CD environments, such as GitHub Actions?</strong></p>\n<p>Yes, as long as you can run Tailscale. Aperture works in common containerized environments such as GitHub Actions without needing to expose either the agent or the gateway to the public internet.</p>\n<p><strong>Can I use Aperture with several tailnets?</strong></p>\n<p>Yes, you can <a href=\"https://tailscale.com/docs/aperture/get-started#enable-aperture-without-a-tailnet\">connect to Aperture from another tailnet</a> using <a href=\"https://github.com/tailscale/ts-plug\">ts-unplug</a>. You can also use ts-unplug to connect from environments that aren't on a tailnet at all.</p>\n<h2><a href=\"https://tailscale.com/docs/aperture/what-is-aperture#learn-more\">Learn more</a></h2>\n<ul>\n<li><a href=\"https://tailscale.com/docs/aperture/how-aperture-works\">How Aperture works</a>: identity and authentication, request routing by model, telemetry capture, and session tracking.</li>\n<li><a href=\"https://tailscale.com/docs/aperture/get-started\">Get started with Aperture</a>: sign up, configure providers, and connect your first LLM client.</li>\n</ul>\n<p><img src=\"https://cdn.brandfetch.io/tailscale.com/fallback/lettermark/theme/dark/h/256/w/256/icon?c=1bfwsmEH20zzEfSNTed\" alt=\"Project Logo\"></p>\n<p>Ask AI</p>\n<p>reCAPTCHA</p>\n<p>Recaptcha requires verification.</p>\n<p>protected by <strong>reCAPTCHA</strong></p>\n"}