ASAgentStead Docs

Networking & SSH

Public URLs, Tailscale private access, and SSH into your agent.

Every agent has two ways to reach it: a public HTTPS URL and, optionally, a private Tailscale address.

Public URL

Every deployed agent gets a dedicated https:// URL. It's shown in Access & Credentials and stays stable for the life of the agent.

Use it for:

  • Logging into the runtime web UI
  • API calls from scripts or integrations
  • Sharing a stable endpoint with external tools

Private access with Tailscale

Tailscale gives your agent a private WireGuard-based address on your tailnet — reachable from any of your own Tailscale-connected devices without going through the public URL.

Save a reusable, pre-authorized auth key in account Networking settings before connecting agents. It makes per-agent Tailscale setup a single click.

Save a reusable auth key

Go to account Networking and paste a Tailscale reusable auth key. Generate one at tailscale.com/admin/settings/keys — make sure it's marked Reusable and Pre-authorized.

Connect the agent

Open any agent and find the Tailscale Network card. Click Connect.

If you saved a key in step 1, the agent joins automatically. Otherwise, you'll get a browser auth URL to approve manually.

Wait for the IP

The card shows a 100.x.x.x address once the agent has joined your tailnet. This usually takes 10–30 seconds.

SSH in

From any machine on your tailnet:

ssh <username>@<tailscale-ip>

Use the username and password from Access & Credentials. Standard port 22 — no -p flag needed.

Disconnecting Tailscale

Click Disconnect Tailscale in the agent's Tailscale card. The sidecar is removed and the private address is released.

Port 25 (SMTP) block

Outbound port 25 is blocked on all agents by default. This is a platform-wide policy to protect the shared IP reputation of AgentStead infrastructure — open SMTP is one of the most common vectors for spam abuse.

If you need port 25 unblocked for a legitimate use case (running a mail server, testing SMTP), email support@agentstead.dev with your account email, agent ID, and what you're using it for. Requests are reviewed manually.

If you're sending email from an application, you don't need port 25 — use a hosted email API (Resend, Postmark, SendGrid, AWS SES) over HTTPS instead. These work on any agent without any unblock needed.

Troubleshooting

Schedules

Automate recurring actions — backups and restarts — with cron-based schedules on agentstead.dev.

Data & Backups

What persists in your agent, how full workspace backups work, and what happens when you destroy an agent.

On this page

Public URLPrivate access with TailscaleSave a reusable auth keyConnect the agentWait for the IPSSH inDisconnecting TailscalePort 25 (SMTP) blockTroubleshooting