Private Network Access is for web flows. If your firewall just needs static source IPs, use the Network Allowlist instead — it’s simpler and also covers hooks and mobile runners.
How it works
- Connect: an org admin gives Autosana a one-time Tailscale API access token (
tskey-api-…) and the target URLs for one environment. Autosana writes a least-privilege grant to your tailnet policy, mints a scoped credential, and discards the token. - Verify: Autosana joins your tailnet with a short-lived key and confirms each target is reachable.
- Run: each web flow run joins the tailnet only for the browser session, routes traffic through it, and leaves when the run ends.
Setup
- In Tailscale, make sure your app is reachable from the tailnet (approve subnet router routes if needed)
- Create a one-time Tailscale API access token
- In Autosana, pick the environment that should use the private network
- Enter your target host and port, e.g.
staging.internal.example.com:443 - Connect, then run verification before using the environment in a web flow
Troubleshooting
- Verification can’t reach the target — check the host/port, and that the target is reachable from a device on your tailnet with the needed subnet routes approved.
- A web run fails to join the network — confirm the environment’s private network status still shows connected, then retry. Runs fail loudly rather than silently falling back to the public internet.
- Still stuck? Email founders@autosana.ai with the environment name and failing run URL.