Create a Tailscale OAuth client with Devices: Read scope, then paste the Client ID and Secret into the app. Install and start WebFinder on each Mac or Linux device you want to show up.
Requires Node.js LTS; apt-based distros install it automatically
Adds web-finder CLI to PATH
Run web-finder start --auto-publish for recommended setup
Auto-publish may prompt for local Tailscale operator permission
Agent install
Copy this prompt into an agent with terminal access to the device
Install WebFinder from https://github.com/zeulewan/web-finder on this Mac or Linux device. It is fully free and open source, MIT licensed, and auditable, so inspect the repo and install script first if you do not trust it. On macOS, install with: brew install --cask zeulewan/tap/webfinder. On Linux, install with: curl -sSL https://raw.githubusercontent.com/zeulewan/web-finder/refs/heads/main/install.sh | bash. Use the documented install command for this OS; if it needs sudo or fails, explain why before using a custom install path. After installing, explain the two start modes: passive web-finder start, or web-finder start --auto-publish for individual setups. Ask which mode I want before starting it. Only use --auto-publish if I explicitly confirm, because it creates Tailscale Serve mappings for detected local web UIs. If WebFinder prompts for local Tailscale operator permission on Linux, explain that it lets WebFinder manage Tailscale Serve mappings without running as root and ask before answering yes; sudo may ask for my password the first time. After I choose, start WebFinder in that mode, then verify the install with web-finder version and web-finder status. If status shows Tailscale Serve permission errors, report the exact fix it recommends.
Works for Mac or Linux devices where an agent has shell access
Use auto-publish for the recommended setup, or plain start for passive discovery.
🌐
Manifest-based discovery
Remote devices show up after WebFinder is installed and started on each Mac or Linux peer you want to discover.
🔍
Local smart detection
Each publisher fetches titles locally. Recommended auto-publish mode can create Tailscale Serve mappings for detected listening web ports.
🔒
Tailnet-safe sharing
web-finder start --auto-publish is recommended and lets WebFinder create Tailscale Serve mappings for detected local web UIs. On Linux, it may prompt for local Tailscale operator permission. Plain web-finder start is the passive default and only advertises existing mappings.
📋
Agent-friendly CLI
JSON output mode lets AI agents and scripts query your network programmatically.
CLI usage
Works great standalone or piped into scripts and AI agents.
web-finderShow local services, gateway services, and Tailscale manifests
web-finder start --auto-publishRecommended: publish detected local web UIs with Tailscale Serve; may prompt on Linux
web-finder stopStop sharing and disable autostart
web-finder statusCheck daemon, Tailscale Serve, MagicDNS, and version
web-finder --jsonMachine-readable JSON output
web-finder --debugVerbose output, diagnostics, and peers with no published services
web-finder updatePull latest CLI (and app on macOS)
web-finder versionShow installed version and commit
FAQ
Common questions about WebFinder for Tailscale.
Is WebFinder for Tailscale free?
Yes, completely. There are no in-app purchases, subscriptions, or ads. The app is open source under the MIT License and available on GitHub.
Do I need a paid Tailscale account?
No. WebFinder for Tailscale works with free personal Tailscale accounts. You just need to create an OAuth client with the Devices: Read scope, which is available to all Tailscale users.
Does it work without Tailscale?
Yes, on macOS and Linux. Run web-finder on the CLI or use the macOS menubar app to discover web services running on that machine. Tailscale is needed for remote devices, and those remote devices need WebFinder running so they can publish their manifests.
What ports does WebFinder scan?
For remote peer discovery, WebFinder reads existing Tailscale Serve mappings, fetches titles from the matching local web ports, and publishes those results as a manifest. The standalone CLI and macOS app can also scan local ports on the machine where they are running. Other clients fetch peer manifests instead of port-scanning the peer.
Is there a daemon or autostart?
Yes. Run web-finder start --auto-publish once on each Mac or Linux device for the recommended setup. It starts the local manifest daemon, enables autostart where supported, and lets WebFinder create Tailscale Serve mappings for detected local web UIs. On Linux, auto-publish may prompt to set the current Unix user as the local Tailscale operator; sudo may ask for your password the first time. Plain web-finder start remains the passive default and only advertises mappings you already created. macOS uses a LaunchAgent, most Linux systems use a systemd user service, OpenWrt uses procd, and other non-systemd systems fall back to cron when available.
Is my data sent to any servers?
No. OAuth credentials are stored locally on your device. The app connects to api.tailscale.com to fetch your device list, then connects directly to WebFinder manifest endpoints and service URLs on your own tailnet. There is no analytics, tracking, or telemetry.
What is an OAuth client and how do I create one?
An OAuth client lets WebFinder read your Tailscale device list. Go to the Tailscale admin console, create a new OAuth client, select the Devices: Read scope, and copy the Client ID and Secret into the app. It takes about 30 seconds and only needs to be done once.
Which platforms are supported?
iOS (iPhone and iPad), macOS (native menubar app + CLI), and Linux (CLI). macOS installs through Homebrew, Linux installs with the shell installer, and the CLI behavior is the same on both platforms.
