Networking & SSH
Public URLs, per-stead Tailscale private networking, and SSH access.
Every agent has two ways to reach it: a public HTTPS URL and, optionally, a private Tailscale address.
Public URL
Every deployed agent gets a dedicated https:// URL. It's shown in Access & Credentials and stays stable for the life of the agent.
Use it for:
- Logging into the sandbox web UI
- API calls from scripts or integrations
- Sharing a stable endpoint with external tools
Private access with Tailscale
Tailscale gives your agent a private WireGuard-based address on your tailnet — reachable from any of your own Tailscale-connected devices without going through the public URL.
Tailscale is configured per workspace (stead). All agents in the same workspace share the same tailnet, so they can reach each other directly.
Setting up workspace networking
Open Networking
Go to Networking in the sidebar. You'll see a list of your workspaces with their tailnet status.
Select your workspace
Click the workspace you want to configure (usually Main). This opens the workspace networking detail page.
Configure your tailnet
Choose between two methods:
OAuth credentials never expire — set them once and every agent deployed into this workspace auto-connects forever.
- Go to tailscale.com/admin/settings/oauth
- Create an OAuth client with
auth_keys:writescope - If your OAuth client requires a device tag, add the tag to your Tailscale ACL first:
"tagOwners": { "tag:agentstead": ["autogroup:admin"] } - Enter the Client ID, Client Secret, and optionally the Device Tag in the OAuth section
- Click Save OAuth credentials — the credentials are validated live before saving
A reusable auth key works but expires (default 90 days). When it expires, new agent deploys stop auto-connecting.
- Go to tailscale.com/admin/settings/keys
- Click Generate auth key
- Enable Reusable and Pre-authorized
- Paste the key into the Auth Key section and click Save auth key
Deploy an agent
Once networking is configured, every new agent deployed into that workspace automatically joins your tailnet. No manual connect step needed.
Agents deployed before networking was configured can be connected manually from the agent's Access tab → Tailscale Network → Connect to Tailscale.
Wait for the IP
The agent's Tailscale IP (100.x.x.x) appears in the agent list and in the Access tab once it has joined. This usually takes 10–30 seconds.
SSH in
From any machine on your tailnet:
ssh <username>@<tailscale-ip>Use the username and password from Access & Credentials. Standard port 22.
Good for:
- Persistent terminal sessions from your local machine
- Local editor integration (VS Code Remote SSH, Neovim with remote plugins)
- Running long-running commands without keeping the desktop open
See Networking & SSH to set up Tailscale.
The emerald dot next to a workspace name in the sidebar and on the Networking page means that workspace has Tailscale configured.
Agents can reach each other
All agents in the same workspace share the same tailnet. They can reach each other directly via their 100.x.x.x Tailscale IPs — useful for multi-agent workflows where agents need to communicate without going through the public internet.
Disconnecting Tailscale
Open the agent's Access tab, find the Tailscale Network card, and click Disconnect Tailscale. The sidecar is removed and the private address is released.
Port 25 (SMTP) block
Outbound port 25 is blocked on all agents by default. This is a platform-wide policy to protect the shared IP reputation of AgentStead infrastructure.
If you need port 25 unblocked for a legitimate use case, email support@agentstead.dev with your account email, agent ID, and what you're using it for.
If you're sending email from an application, use a hosted email API (Resend, Postmark, SendGrid, AWS SES) over HTTPS instead. These work on any agent without any unblock needed.