Operator
Tailscale Private Access
Use this when you want to reach SLAW over Tailscale (or a private LAN/VPN) instead of only localhost.
1. Start SLAW in private authenticated mode
pnpm dev --bind tailnet
This sets:
SLAW_DEPLOYMENT_MODE=authenticatedSLAW_DEPLOYMENT_EXPOSURE=privateSLAW_BIND=tailnet
For broader private-network access instead, use pnpm dev --bind lan.
2. Find your reachable Tailscale address
From the machine running SLAW:
tailscale ip -4
You can also use your Tailscale MagicDNS hostname (for example my-macbook.tailnet.ts.net).
3. Open SLAW from another device
Use the Tailscale IP or MagicDNS host with the SLAW port:
http://my-macbook.tailnet.ts.net:3100
4. Allow custom private hostnames when needed
If you access SLAW with a custom private hostname, add it to the allowlist:
npx slaw allowed-hostname my-macbook.tailnet.ts.net
5. Verify the server is reachable
From a remote Tailscale-connected device:
curl http://<tailscale-host-or-ip>:3100/api/health
# -> {"status":"ok"}
Troubleshooting
- Login or redirect errors on a private hostname: add it with
slaw allowed-hostname. - App only works on
localhost: make sure you started with--bind lanor--bind tailnet, not plainpnpm dev. - Can connect locally but not remotely: verify both devices are on the same Tailscale network and port
3100is reachable.
Next steps
- Deployment Modes — authenticated/private in detail
- Environment Variables —
SLAW_BINDand exposure - Security & Sovereignty — what stays local