Part 1 โ API Token for Host Discovery
meshTerm uses a read-only Tailscale API token to browse your Tailnet when adding hosts. It allows meshTerm to list your devices by name rather than requiring you to type IP addresses manually. Tailscale SSH connections work without it โ you can skip this part and still connect to hosts if you know their Tailscale IP or hostname.
-
1Go to the Tailscale admin console
Open your browser and go to tailscale.com, then sign in to your account.
-
2Navigate to API Keys
Go to Settings → Personal Settings → Keys. Scroll down to the API Access Tokens section.
tailscale.com โบ Settings โบ Personal Settings โบ Keys โบ API Access Tokens -
3Click Generate token
Give the token a label so you can identify it later.
๐ก Suggested label: meshTerm -
4Set an expiry
90 days is a sensible default. You can regenerate the token at any time in the same location.
โฑ Recommended: 90 days -
5Leave permissions as read-only
meshTerm only needs to list the devices in your Tailnet. No write access is required or requested.
-
6Copy the token
Copy the token immediately โ Tailscale will only show it once. If you lose it, generate a new one.
-
7Paste it into meshTerm
Open meshTerm and navigate to the API token setting.
meshTerm โบ Settings โบ Tailscale โบ API Token
- Your token is stored securely in the iOS Keychain โ it is never stored in plain text
- It is used only to list the devices in your Tailnet โ no changes are made to your Tailscale account
- meshTerm requests read-only scope only โ the token cannot modify your network or settings
- The token is never transmitted to any meshTerm or third-party server โ all Tailscale API calls are made directly from your device to Tailscale
Part 2 โ Enabling Tailscale SSH on Remote Hosts
Tailscale SSH enables passwordless, keyless authentication when connecting from meshTerm to a remote host. Instead of a password or SSH key, authentication is handled by Tailscale's identity layer โ if your device is on the Tailnet and authorised, you're in.
- Standard SSH authentication
- Requires SSH key or password
- Works on any Tailscale peer
- No server-side setup needed
- Passwordless, keyless auth
- Identity from Tailscale network
- One-time setup per server
- Select "Tailscale SSH" in meshTerm auth method
Requirements
Tailscale SSH is supported on Linux servers running Tailscale v1.30 or later. The host must be running the Tailscale daemon and be a member of the same Tailnet as your iPhone.
Step 1 โ Enable Tailscale SSH on the server
Run this command on each Linux server you want to connect to without a password:
# Enable Tailscale SSH on the remote host sudo tailscale up --ssh
Or if Tailscale is already running and you want to add SSH without changing other settings:
# Add SSH to existing Tailscale configuration sudo tailscale set --ssh
Verify it's enabled:
# Check Tailscale SSH status tailscale status # You should see something like: # 100.x.x.x your-server yourname@ linux active; offers SSH
Step 2 โ Enable Tailscale SSH in your ACL policy (if required)
Depending on your Tailscale plan and ACL configuration, you may need to explicitly permit SSH in your network's access control policy. For personal Tailscale accounts the default policy permits this automatically โ you can skip this step.
If you manage a Tailnet with custom ACLs, add the following to your
tailscale.com/admin/acls policy:
// Add to your ACL policy at tailscale.com/admin/acls "ssh": [ { "action": "accept", "src": ["autogroup:member"], "dst": ["autogroup:self"], "users": ["autogroup:nonroot", "root"] } ]
tailscale up --ssh on the server and you are done.
Step 3 โ Connect from meshTerm
Once Tailscale SSH is enabled on your server, select Tailscale SSH as the authentication method when adding or connecting to a host in meshTerm.
-
1Open meshTerm and go to Hosts
Your Tailscale peers are listed automatically if you have set up your API token. If not, add the host manually using its Tailscale IP (e.g. 100.x.x.x) or MagicDNS name (e.g. my-server.tail1234.ts.net).
-
2Set Authentication to Tailscale SSH
When adding or editing a host, select Tailscale SSH as the authentication method. No password or SSH key is needed.
-
3Tap to connect
meshTerm connects using your Tailscale identity โ no password or SSH key required.
Troubleshooting
Tailscale SSH connection fails
- Confirm
tailscale up --sshwas run on the server - Run
tailscale statuson the server and check it says offers SSH - Make sure both devices are on the same Tailnet and showing as connected
- Confirm Tailscale SSH is selected as the authentication method in meshTerm
Connection refused or permission denied
- Check your Tailscale ACL policy permits SSH between your devices
- Verify the username you are connecting as exists on the remote host
- Check
journalctl -u tailscaledon the server for connection logs
API token expired
Generate a new token at tailscale.com → Settings → Personal Settings → Keys and update it in meshTerm → Settings → Tailscale → API Token.
Enabling Tailscale SSH by Linux distribution
Install Tailscale if not already installed, then enable SSH:
# Install Tailscale (if not already installed) curl -fsSL https://tailscale.com/install.sh | sh # Enable Tailscale SSH sudo tailscale up --ssh # Verify tailscale status
Install from the official repos and enable via systemd:
# Install Tailscale sudo pacman -S tailscale sudo systemctl enable --now tailscaled # Authenticate and enable SSH sudo tailscale up --ssh # Verify tailscale status
Install via the Tailscale repo and enable SSH:
# Install Tailscale curl -fsSL https://tailscale.com/install.sh | sh sudo systemctl enable --now tailscaled # Enable Tailscale SSH sudo tailscale up --ssh # If using SELinux, you may need: sudo setsebool -P tailscale_enabled 1 # Verify tailscale status
Alpine uses OpenRC rather than systemd:
# Install Tailscale apk add tailscale rc-update add tailscale rc-service tailscale start # Enable Tailscale SSH tailscale up --ssh # Verify tailscale status