Headscale Admin

Headscale supervisor and Modern UI

Get started →
# single binary# supervises headscale# OIDC SSO# TOTP 2FA# PassKey
Features

Everything in one binary

Supervised headscale
Downloads the pinned, checksum-verified headscale release, owns its config, database and keys, and supervises the process. No separate headscale to install or run.
Single-port front + TLS
One public listener terminates TLS — self-signed, your own cert, or Let's Encrypt — and routes both the admin UI and headscale's control plane. No reverse proxy required.
OIDC SSO + RBAC
Sign in through your identity provider, with admin and operator roles mapped from IdP groups. Bootstrap admins are pinned so you're never locked out.
Local 2FA & passkeys
Without OIDC, accounts use email + password with optional TOTP two-factor and WebAuthn passkeys for passwordless sign-in.
Visual ACL editor
Edit groups, tag owners, hosts, auto-approvers, ACL rules, grants and SSH visually or as raw HuJSON — with a live access-map graph of who can reach what.
One-click upgrades
Move the supervised headscale to a new release from the UI: checksum-verified, restarts headscale, and auto-reverts on failure.
External user sync
Fill ACL group members from JumpCloud, Authentik, Keycloak or LDAP via the bundled headscale-pf, with a diff preview before you apply.
Audit log & backups
An immutable record of every state-changing action, plus one-click exports of the policy, databases, or everything at once.
The UI

Full Headscale feature UI

headscale-admin · /admin The headscale-admin dashboard: nodes, users, control-server status and recently added machines
All sections

Browse the manual

Overview
What headscale-admin is, how it supervises headscale, and what the single binary actually does when you run it.
Installation
Stand up headscale-admin - by hand, with Docker, Docker Compose, or Ansible. The same handful of decisions (URL, TLS, auth) apply to every method.