Join us live on August 26 in San Francisco for TailscaleUpTICKETS ON SALE NOW ->

What is Aperture?

Last validated:

Aperture by Tailscale is currently in beta.

As organizations adopt AI across development, automation, and internal tools, they face new challenges around security, visibility, and control. API keys are often scattered across developer devices, CI/CD (continuous integration/continuous delivery) systems, and automated agents, increasing the risk of leaks and making credentials difficult to rotate or audit. Teams lack clear insight into who is using which models, how frequently, and at what cost. This makes it difficult for security, platform, and compliance teams to support AI usage at scale without slowing developers down.

Aperture by Tailscale addresses these challenges with a centralized AI gateway that secures, monitors, and routes LLM requests across your organization. After reading this page, you'll understand the gateway model Aperture uses, how it identifies users without distributing API keys, and what visibility it provides into LLM usage across your organization.

Core concept

Aperture is a reverse proxy that sits between your LLM clients (coding assistants, chat interfaces, automated agents) and upstream LLM providers (OpenAI, Anthropic, Google, and others). Every request passes through Aperture before reaching a provider, and every response passes back through it. This single chokepoint is the foundation for all of Aperture's capabilities: identity, routing, telemetry, cost tracking, and policy enforcement.

Think of Aperture like a corporate mail room. Instead of giving every employee their own shipping account with each carrier, the mail room holds the accounts centrally. Employees drop off packages addressed by recipient (the model name), the mail room selects the right carrier (the provider), applies the organization's shipping account (the API key), and logs every shipment (telemetry). Employees never handle carrier credentials, and the organization has a complete record of what was sent and where. This analogy breaks down in one important way: unlike a mail room, Aperture also inspects and can modify contents in transit, which is how guardrails work.

Two properties make this gateway model work without disrupting existing workflows:

  • Identity from the network. Aperture uses Tailscale's identity layer to automatically identify every user and device. Because Tailscale already authenticates devices when they join the tailnet, Aperture inherits that identity without requiring separate login credentials or API keys from users. The proxy injects provider API keys from its server configuration on behalf of the user.
  • Routing by model name. Clients specify which model they want (for example, claude-sonnet-4-20250514 or gpt-4o), and Aperture routes the request to the correct provider. Clients don't need to know provider URLs or manage multiple endpoints. This means existing tools work with Aperture by changing only the base URL, not the tool's configuration or code.

What Aperture provides

The gateway position gives Aperture visibility and control that are difficult to achieve when clients connect directly to providers.

  • Centralized API key management. API keys stay in the server configuration, never on developer devices. Aperture injects the appropriate key for each request. When a key needs rotation, you update it in one place.

  • Usage visibility and cost tracking. Aperture captures every request with user attribution, model identification, and token counts (input, output, cached, and reasoning). The Aperture dashboard aggregates this data by user, model, and time period. This data feeds into exports for cost analysis, and you can set budgets and per-user spending limits to prevent cost overruns.

  • Adoption analytics. The Adoption page of the Aperture dashboard shows organization-wide usage patterns, active users over time, and histograms of usage distribution, answering questions like which teams use which tools and how frequently.

  • Compliance and audit trails. Aperture stores full request and response bodies for review. The capture system preserves headers, payloads, and tool use data. Configure a retention policy to control how long Aperture keeps capture data, and export logs and events to your SIEM (security information and event management) system for durable storage and compliance workflows.

  • Guardrails. Guardrails inspect, modify, or block requests at the gateway level before they leave your network. Use cases include scrubbing personally identifiable information (PII) from prompts, restricting tool declarations, and enforcing content policies.

  • Session debugging. The Logs page of the Aperture dashboard groups related requests into sessions, letting you trace the flow of a conversation or coding task by reviewing full request and response data.

Limitations

Consider the following limitations before deployment. Tailscale is actively developing Aperture, so this list updates frequently.

  • Tailscale requirement

    The Aperture server runs in a tailnet. Clients can connect from inside the tailnet or from outside it using ts-unplug. Both paths provide Tailscale-based identity. Aperture does not support direct public internet access.

  • Provider support

    Metrics extraction relies on parsing provider response formats. Aperture handles OpenAI, Anthropic, Gemini, and OpenAI-compatible APIs. Refer to the provider compatibility reference for details. New providers or format changes might require updates.

  • Reducing quota capacity caps existing balances

    Aperture persists quota bucket balances. When you reduce a bucket's capacity, Aperture caps the existing balance at the new value; the excess is not recoverable. Aperture removes buckets whose quota definitions you delete from the configuration. For details, refer to bucket lifecycle.

  • Subscription plans not supported

    Aperture authenticates with LLM providers using API keys from provider developer platforms. Consumer and business subscription plans (such as Claude Pro or Claude Max, ChatGPT Plus, Pro, or Team, or Gemini Advanced) are separate from provider API access and do not provide API keys compatible with Aperture.

FAQ

What happens if a user tries to connect from outside the tailnet?

Users outside the tailnet can connect through ts-unplug, which creates a lightweight tailnet node and proxies local traffic to Aperture. Without ts-unplug, the connection fails at the network level because Aperture listens on Tailscale interfaces.

What happens when I add a new LLM provider to the configuration?

Clients can immediately use models from that provider by specifying the model name in their requests. No client changes are required because the proxy routes based on model name.

What happens if a streaming response is interrupted mid-stream?

The proxy captures whatever data arrived before the interruption. Metrics extraction might fail or report partial data, but the proxy stores the partial capture for debugging.

Do clients need API keys to use Aperture?

No. Aperture identifies users through Tailscale and injects provider API keys automatically. Clients connect without credentials.

Can I use my Claude Max, ChatGPT Plus, or other subscription plan with Aperture?

No. Aperture requires API keys from provider developer platforms. Consumer and business subscription plans (such as Claude Pro or Claude Max, ChatGPT Plus, Pro, or Team, or Gemini Advanced) are separate from provider API access and do not provide API keys compatible with Aperture. Obtain API keys from the provider's developer platform (for example, the Anthropic Console, OpenAI Platform, or Google AI Studio).

Can I use Aperture with providers not listed in the documentation?

Yes, if the provider uses an OpenAI-compatible API format. Configure it as a provider with openai_chat: true compatibility and the appropriate authorization type.

Can I use Aperture with self-hosted LLMs?

Yes, you can proxy self-hosted LLMs with Aperture without exposing the endpoints to the public internet.

Can I use Aperture in CI/CD environments, such as GitHub Actions?

Yes, as long as you can run Tailscale. Aperture works in common containerized environments such as GitHub Actions without needing to expose either the agent or the gateway to the public internet.

Can I use Aperture with several tailnets?

Yes, you can connect to Aperture from another tailnet using ts-unplug. You can also use ts-unplug to connect from environments that aren't in a tailnet at all.