What's up friends, I'm off the grid this week on vacation with my family spring break is here I'm enjoying my life And this week I have a show for you with the chief strategy officer from tail skill His name is David Carney. We're talking about where tail skill is heading TS IDP TS net acronyms all over the place multiple tail nets aperture They're AI gateway clickless off and so much more big Thank you our friends and partners over at fly for getting our back. They support the show. They make it happen I'm so thankful for that check them out fly.io.
That is the home of change log.com if you didn't know learn more at fly.io Okay, let's do this friends. I'm here with my good friend Chris Kelly over at ogman code Chris I'm a fan I use Augie on the daily. It's one of my daily drivers I use clock code I use augment Augie and I also use and code and others, but Augie I keep going back to it and here's where I'm at I feel like not enough of our audience knows about augment code not enough about Augie the CLI It's amazing. I love it.
What can you share? Yeah, we often say augment is the best coding assistant You've never heard of and that's both frustrating as some that works there And it's like very proud of the work we've done But also like inspiring like we want to go and sort of punch above our weight We just like we aren't anthropic and we aren't open AI and so the quality of the product itself You know with our context engine once you do cush it people are like just blown away by that And so like that keeps me going every day So not the best elite here, but this is a paid spot. You are sponsoring the show to get this awareness now at the same time We're selective and I love to use as your tool But there is in the world so a lot of developers look at the space and they say okay Well, how long can this work? How long is this sustainable in the case of cursor or windsurf or you pick the name and you think this kind of tokens Help me shape a lens for audience.
I think it's a lot of awareness right like cursor got a lot of publicity early on for like fast revenue growth, which well deserved I think you know frankly some of the media got that gets the story wrong and that like if I gave you a dollar 50 for every dollar You sent me I'd be the fastest growing startup in the in the valley and so when you're selling discounted tokens Yes, of course, you're gonna go very fast But all that money plus more goes to the model providers So I think the real story is the story of anthropic and you know being an API provider I think the market just moves so fast and there's so many pieces of competition out there that it's just hard to get noticed So friends, I love omic code and I love using Augie and I highly recommend you use it. I love using Augie I can hand Augie a well-defined specification a well-defined PEP as I call them in my world an agent flow and Executes falsely so the cool thing about Augie that I love most really is that context engine and I can hand it a task And it is churn away on my well-defined plan and just never bother me and accomplish the mission It is so cool leveraging the latest models the context engine and all the fun things behind the scenes in that awesome CLI So yes, go try it out omicode.com right in the top. There is a CLI icon a terminal icon click that install it and change the world It's gonna be awesome omicode.com Well friends we're here with David Carney co-founder chief strategy officer of tail skill friends You know I'm a big fan of tail skill. So David welcome to the show.
Thank you. I'm glad to be here That's a big role I mean that would that would shake me in my boots if I was chief strategy officer of tail skill What a what a big platformer building and a lot of moving parts in a lot of direction you can go It is a big title and it's gonna be clear I'm not you I'm so they're not the only one thinking about strategy at tail skill There's a lot of moving parts but being the top of it all what does it take to what does it take to lead strategy and start an Organization like tail skill Well, I wouldn't even say I'm I'm leading like a holistic strategy the stuff I'm working on in close partnership with with my co-founder Avery And a new VP product and other parts of the team. I'm focusing largely on I guess the strategy at the edge of tail skill Which is something that's sort of come about in the past year or so so for the uninitiated then Describe tail scale from the non-edge and then take me to the edge and what that means the simplest way to think about tail scale And sometimes people ask me like well, what are you building? What do you do?
And so explaining it to like a layperson is very helpful And so first and foremost tail skill makes it possible to connect any two devices anywhere in the world with Strong guarantees of the identity of the user and the device at either end And if you can do that for any two devices, you can do it for an arbitrary number So you can start adding like one device one user one server whatever at a time until you have basically what looks like a mesh network and it's completely private Then you can layer on things like access controls So you can be like oh only these people should be able to access like these servers or devices for instance Like the engineers can only access production the accounts can only access the finance servers so on and so forth But fundamentally what you can do it tells great private networks and so when we launched the product Because we launched maybe six and a half years ago now It was pitched as a VPN alternative or zero trust kind of replacement. It does a lot more than what a VPN is But at the heart of it, it's a connectivity platform It's a real private network that are fully secured and sort of using a mesh overlay pattern So that's the core of what tail scale is and it has been for a very long time And we've been continuing to build and build and build on top of that There's this motion that's started in the past year or so where the I guess the use cases for tail scale have gone from just internal within a company So it's like I'm using it to replace my VPN or I'm using a taxist production or I'm using it to deploy infrastructure within my company So that people are starting to use scale to deploy infrastructure to their customers So for instance, there's a couple of cloud provider startups that are using us in a way that they bring up a tail net is what we call it per customer And so they connect a bunch of like say bare metal GPUs with customer infrastructure They send up one of these per customer and then they manage it There's this ability to create multiple tail nets inside of your organization now So people are starting to do that to build say like a staging tail net or a testing tail net or production tail net that kind of stuff What I've been working more on over the past I guess year now is building I guess applications and services on top of this platform All right So showing people like oh you can create a tail net it has these very interesting primitives where identity and connectivity security are baked in Well, look how easy it is to build like applications on top of these talents and deploy them within a bit of private infrastructure And that has gotten me I guess more involved in things like agent workloads and that kind of stuff where you want really tight boundaries on who can do What with identity associated with all those actions and some kind of compliance trail and all that kind of fun stuff this This fringe this edge you call it the edge of the fringe What are some of the things that you've thought of like how do you go without yourself or other folks on the team to sort of Go into a room and think okay. What is the true edge? What are the applications we can build on top of our own platform?
I'm assuming that's how you've you position this What are some of those things I know we mentioned you know Authentication one of them obviously so you have your app it's your project you recently launched But what are some of the edges of that we're actually thinking about? Well the thing we started with earlier last year is that we revived a project an internal project called TS IDP Which like a lot of things that we built a tail scale? We don't do a great job of telling the world about The side of he was in a community projects repo We've done a bunch of work on it a year to prior and for those of you who don't know what it is And it's probably most of your listeners. That's me too.
Yeah. Yeah, so so so TS IDP you can think of it As a reflection of your identity provider inside of your tail net, right? So you can it's almost like a locally hosted version of your identity provider that's private to your network The way it works is that it leverages the fact that every connection and tail scale has your identity baked into it already When you provision a tail net you basically have to say like oh, I'm gonna authenticate with a zero or g-suite or octa or whatever We don't have our own IDP. We just hook into all the ones that are commonly used out there Well, once we can start generating keys based on like a handshake or an interaction with your external IDP Every connection has got your identity baked into it And so if you're sitting inside of a tail net, you know everything that is connecting to you And so you can actually build a small little application that says that just knows everything Or knows the identity of everybody.
And so with that you can actually create effectively an OIDC provider So that's what TS IDP is. You can think of it as like a locally hosted private OIDC or OAuth endpoint And that allows you to do all sorts of neat little things like you can start plugging MCP clients and servers into it You can build all the gateway patterns where if you need to do like token Like token exchange or if you need to do dynamic host like dynamic client registration You can basically do it with TS IDP so you can keep all this interesting identity management stuff private to your tail net Not expose it to an external IDP. That's interesting I mean, we've talked about OIDC recently With Nicholas Zacos around NPM security and that's one of the things that NPM required You know modern maintainers of this age to essentially have one blessed way to publish to NPM And they had this issue with like rotating keys and that secure layer was largely brought on by OIDC That was the first time I started to dip my toe into I'm not authentication Nerd too deeply besides I like to you know authenticate with things I like to have an identity when I go around I like my SSH keys like to be me where I need to be my me But I think I've been like hitting rocks together compared to maybe what even though I've been a scale user for so long I feel like every day I learned something new about TLCL So what does this help me understand what that enables them what kind of applications doesn't mean? So if if when I authenticate and I have a tail net that gives me a mention network across whatever device I want to connect to whether it's a home lab or enterprise or a prod or stage like you mentioned What are some ways that enables a developer to not have to like shell out to somebody else's OIDC But to be their own within their own tail net.
What does that do? Yeah, so also for instance, I have a home lab I have a prox box server on it fantastic And so when I when I first started using proximox like yeah, you know I set it up on tail skill I hit the internal IP on it So I could access it over my tail net wherever I was in the world But I still have to log in with my credentials There's a way to set up authentication with rocksmox that uses dsidp so that It basically just automatically authenticates you just by virtue of the fact that you're on the tail net It knows who you are, right? So I don't have to type my username and password into a modal and hit submit I basically just visit like my prox mox instance locally and I'm in it. I'm listening very closely now Yeah, so Alex Yeah, I published a lot of videos on all the tail skill tech He actually has a video on this and I think an update for it too After we brought tsidp up to the mcp spec last year He refreshed his video on how to set up tsidp to work with prox mox But yeah, it's super convenient like that at tail scale We use it internally for instance We have it set up so that our revenue team if they need to access salesforce They don't have to type a username and password They just they can visit they can just visit tails like salesforce salesforce is configured basically to jump through our local tsidp instance Instead of having to do an all-flow So this is like clickless log in essentially like this is just I'm me And I can just go around my do my business inside my business or in my home lab Which is kind of like a mini playground for most people and not have to even rely upon something like one password to Put a password in you just you and you just go there and you just logged in.
How does that work? Yeah, I mean you're already logged in like I guess that's the thing with tail scale like when you're on the tail That you've already done on a lot of flow. Right. And so why do it again is basically like the question we asked So every connection can assert your identity So we just leverage that so obviously there's a bit of work you have to do safe with prox mox or whatever to set it up and point it at tsidp You've got to set up to set your network Or it's pretty straightforward.
We're working on making that easier too But once it's set up, it's just like this magical experience where people just forget about the fact that they need to log in anymore Uh, but under the covers or under the hood. It's all you know, it's all safe and secure It's just like you're doing it all slow. It's just silent So if I had a prox mox server or maybe a database server or um, you know An ink is uh on top of like a prox mox beat just anything like that where I have a network of other machines What is the process to support tsidp like is that well published is that burgeoning? How mature is that for a developer to beat that up today and just start implementing that in their in their infrastructure?
Yeah, well it is uh, the code is open source. It's on our community projects page. Um, I think it's github.com slash tsidp now Uh, if uh, it does support I believe a lot of 2.1 nowadays We brought it up to speed uh basically to keep pace with evolving mcp spec last year So we added a bunch of other stuff to it, but people are using it You know a lot of homemappers are already using it We've got a bunch of what we call tail scale insiders that are that are using it too. Um, yeah, you know Again, we just haven't talked about it enough so I don't think enough people are using it or even aware of it But it's it's there and it's open for contributions to if people want to add or extend or make more requests Is it something that uh, is it just inherent of you using tail scale that just comes along with using tail scale and authenticate into it?
Or is this you know the oidc part of it doesn't have to be like a hosted server locally and run that you're authentic against? Yeah, you need to run it as an instance I have I have it running in lc on my proximox server for instance. It just like starts on boot What's involved in that like is that running on a boom two pretty pretty common pretty easy via system d can you want me to? Some details potentially there.
I think uh, I think I'm using alpine for it. It has to double check Um, but it's it's a very it's just a go binary So yeah, what uh, t's idp is built on top of this other little piece of tech we have called tsnet Um, you could think of tsnet as a complete user space stack like tail scale stack. It's like a user space networking stack It's again. It's a go library so you can compile tsnet into existing go applications for instance And we've done a bit of work on bindings for the languages, but the go chain is the most mature By far for this.
Yeah, but what what using tsnet lets you do is any go application We've compiled it in you can have it show up so it looks like just like a node on your network Just like any laptop or iPhone or whatever And so it just doesn't know it gets its own IP address in the cgnet range Which we use internally you can apply ACLs to it, you know policies all that kind of stuff You can build applications with that. That's what aperture is as well. It's fundamentally a tsnet application, right? So it shows up as a service, right?
So the nice thing about tsnet is that you can turn any kind of service Into effectively what appears to be a device and then you can like you can apply rules in terms of who can access that It's what level of permissions and all that kind of stuff. I feel like you're the most Coolest, under known crazy tech like every time I peek behind the scenes even further You know, talk to Alex many times, you and our friends, Alex Kreschmore, our audience knows Alex and obviously you do too But every time I go a little further and a little deeper into my networking nerd world I just learn more about what I can do with tail scale And it's so wild how like I'm really like when we're done with this the first thing I'm gonna do It's uh, it's a Wednesday. I'm hoping maybe by next week I will get this spun up and I will not have to authenticate to my prox mocks What does a what is a tool like prox mocks or other services that one might run either in their enterprise infrastructure Or in their home lab, which is kind of a snapshot version or a playground for most folks that might be That's much enterprise but team based or just running offs and infrastructure like who isn't doing that these days A lot of people are what does it take for a prox mocks to support that is something that prox mocks has to do And you know, what are some of the protocols required to uh to support this in terms of just running Like like ts but idp as a service inside of your network. Well, like how does how does prox mocks be be able to support ts idp?
Oh, it's just it's just another oid standpoint. All right, so there it's there's a lot of support oidc Then they're good. That's the that's the ticket in yeah, or yeah, and we've added I mean there's a lot of 2.1 support or 2.0. I mean we brought it up to the almost a lot of 2.1 As the mcp spec was evolving last year and then we paused it a little bit, but yeah oidc pull off to it should just work That's it.
Huh, that seems pretty simple then. I've uh, I've never met with this at all. I'm gonna miss this It's a new world for me on that front there. Yeah, so this is the Yeah, I'll give you feedback.
Um, good. So this is an example of the edge. So you got ts idp Uh, as long as you support oidc or oath 2 or 2.1 Then you can use this as an oidc provider, which essentially is the effectiveness of signing with google or signing with github Is that right? Is that what i'm is what you're putting down?
Yeah, yeah, it's like one of the reasons we We spent some time working on ts idp last year is because a lot of the existing idps like the big ones are there Didn't support some of the things that mcp was calling for like dynamic client registration for instance Um, so what so we built that into ts idp so effectively let us bolt on these missing capabilities So you can you can not only continue to use your existing external identity provider But you can augment its capabilities with ts idp inside of your private network take me to that work There's a lot of folks who are down with mcp and uh, not down with mcp They say it's a fad they say it's here to stay I think it's all about how the context when it gets impacted to the user I think everything in this world is burgeoning and like what was the yesterday is not tomorrow What is i mean you've been steeping this for probably 12 months or more voting aperture and this edge you're talking about Uh, what's your stance on mcp from a from a implementation standpoint and leveraging it? I was getting deeper and deeper into mcp Last summer and definitely into the fall going to a lot more conferences talking with many more people And it seemed like things were just getting bigger and bigger and crazier and crazier all the time Uh, it seemed like iterations of the spec were coming out people reinventing things or it got to the point where I think a lot of companies Or organizations were like, you know, we're just not going to implement this right now because we're ready to spec is going to change again It's too fraught. Yeah, and it got yeah, I got very fraught Uh, and we actually pulled back a little bit from it because I think in september I could definitely feel this fatigue just creeping in Um, I was talking with more people and they started pulling back from going to conferences related to it I think everybody was just getting tired of trying to keep up with the spec and the evolving landscape Um, I think uh simulosin had this great quote Uh, which is a lot of people were just adopting mcp for lack of their own ai roadmap And so I think we're standing along those lines I forget the exact word by paraphrasing it But I got that sense to a lot of people were sort of chasing this thing because I think they thought it was the right thing to chase for them to actually Come up with an ai strategy And it just got more and more complex for them I think a lot of people started pulling like pulling the shoots pulling the cords and slowing down to regroup a little bit into the fall And that's sort of how we thought too is just like the more we sort of dug into it the crazier things seem to get So we're like, you know what? We just need to take a step back and simplify our own thinking and focus on like a couple of problems That we want to solve as opposed to trying to chase all of them Which is what mcp you felt like it was doing now in my experience with these kinds of standards There's usually like this explosion and then things coalesce something a lot more sane I think that is going to happen with mcp Um, it's just going to take us more time than we thought Dig me further into the the dynamic term that you mentioned I get to write down with mcp So it was calling for this this feature set that wasn't there and that's why I had to go that route I mean oh dynamic client registration dcr Yeah, and I will admit I don't know all the technical yeah, I don't know all the technical details of this Um, so you'll have to forgive me on it.
We'll talk about the details and something about that But like what does it do what does it enable for the mcp? So like why is it in the protocol it basically lets things like mcp clients and servers Wake up and register themselves against like an end point without requiring a lot of manual steps or human interaction Okay, so it removes a lot of friction in terms of getting things like mcp deployed across an organization And you need to support that and that's why you went that route Yeah, well mcp was calling for it, right and so it was like well This is this is where the spec is going and there's other important There's other parts of like a lot of 2.1 Uh, and even some experimental stuff and a few RFCs that people were referring to Dynamic client registration was definitely one that a lot of people were talking about And we're like look we can build this like it's not exactly rocket science Um, it would be hard for an existing item to provide or retrofit this in because being an identity provider is a horrendous amount of work We don't we tell scale doesn't want to be an IDP Uh, we've known that from the from day one, but we can extend the functionality of existing ones And dcr was pretty straightforward for us largely because Uh, but sales go like you know the identity of things on the right so you know If you have this if you have this trust and these assertions you can make in terms of like who's connecting to what then rich Like client registration becomes a lot more straightforward that way is at the point of um dynamic client registration to enable the mcp server to spin up whenever you launch it or Initiate or instantiate it to attach itself to the tailnut Is that the point of this dynamic client registration or is it the individuals coming into the mcp? Maybe through cli or other agentic, uh, workflows I mean in my limited experience with this again, it's been more about us just allowing You know what? I don't have a great answer for you on that one.
That's okay I'm trying to pick it up with you because this is you know when you're in the land of burgeoning, right? You kind of have to navigate some seaweed and some tall grass and you gotta get your hatchet And you're like, you know what? I don't really know where I'm at right now This is moving so fast. What is the point of this?
Uh, this thing that's what I'm curious about because it seems like that might be the case like I see a lot of folks delivering a cli And a mcp in one, you know a lot of go applications are doing this or go see allows are doing this where there's still deliver a cli In mcp server in one single thing and you can launch it via the cli which is pretty easy And I'd imagine you want that thing to authenticate With a tailnut like if i wanted to i wanted to have an identity be the mcp server for xyz server or service And that's who you are and you've got acls and I didn't attach to you Yeah, and I mean that's that's how we've been showing it off to people It's like oh, I'm gonna I'm gonna create a server. I'm gonna create a client I'm just gonna have it automatically join the network I'm gonna you know a big part of I gotta tell scales like you want to give these things identity You want to pass them around you don't want to have people to have to say Make a manual or static configuration with this kind of thing I should be able to spin up You know if I'm on a tailnet for instance, I should be able to set up an mcp server I should be able to launch it I should be able to grant access to that to certain people I should be able to tell like my colleagues and maybe some agents that are in like I tell them it somewhere like hey, you've got this new resource available Super important for for us in general, and I think it's why it's so important just to the mcp spec as well Take me back into ts idp. You mentioned not wanting to be an idp. These are acronyms everybody Okay, I think it's what does idp stand for identity provider something.
What does that mean? Oh identity provider It's I mean I mean a provider. Yeah, like g-suite as your octa There's a lot of them. I keep hook.
Okay, you know a thing that that you know A third party service that you trust to assert the identity of other things, right or yourself to other services broadly speaking So, you know, everybody logs into everybody well not everybody has a gmail account But everybody logs into services like they introduce name and password or you know configure like logging with SSO or you know Lock it with Facebook or whatever. That's these are all authentication flows Something has to know Who you are and be able to assert that to other things that people trust that's basically the job of an idp Here's where I'm going with this and maybe this is just hypothesizing this edge that you're maybe navigating with you and your team that are Thinking through these things I'm thinking like if you don't want to be an idp that makes sense But you want to enable folks to create their own idp, which is ts idp It's the thing I can use to build my own essentially and I can sort of carry my own Identity around with me that it seems like I can run my own instance in my home lab on my proc server But it could be me everywhere if I wanted to be that's what it seems I could be or I can build my own thing on top of that I feel we're going into this world where maybe the next layer of a lot of folks stacks whether it's internally in a home lab Whether it's a small team But in the next big thing to maybe a medium sized team that's already got motion in place And now agentic is thrown into this world and they're bolting on and kind of rebuilding their platforms on top of essentially AI I feel like this world is moving towards self-hosted And the reason why I mentioned this question is like is the idea for t s idp to enable me to self-host my own identity provider So I don't have to log in with google or log in with github or log in with whomever because the thing I forget most is like Which one did I log in with and now I've given you my stuff and I got a trusty with my sso my single song on provider All these acronyms in this world is just ludicrous basically But is that is that it might pick up your putting on that direction? I think things kind of so just to be clear Like we're like you still need an external identity provider when you're using tail scale and specifically if you use ds idp Like it it leverages the fact that you've got an external thing that you trust Because that's that's what generates the identity and that's what we use with the encryption key So you can figure out like oh this thing is connecting to me. I know who it is Um, and so we're however you're using tail scale right now You've got a you know when you create a tail whenever you're when you create that tail and that you're plugging it into whatever identity provider Is out there that you currently use What I think is really magic about t s idp is that it lets you not only manage identity sort of privately and internally So you can bring all right to see to all of your internal apps You don't need to configure them to go external It lets you start thinking about your network Um is more of an extension of your identity not just individual devices Like and so you can actually start treating like this like a tail net as a you know a collection of identities or perhaps just one identity And so it lets you yeah, I guess have a pocket of identity That's probably your own that you can start to do and manipulate and share things in the world with now There's a lot of I think there's a lot of interesting ideas and maybe velocity we can get into on this kind of stuff I thought to explore it.
I know my co-founder Avery's thought a lot about this kind of stuff too It's very yeah for us, right? It's a very interesting and academic piece of tech like and this is I guess I can talk more about some of the journey last year if you want but We started going to conferences and talking about t s idp to people Especially in the iSpace because we're like oh, this is very fascinating from an mcp point of view That's you'd like facilitates these views with them inside of a tail net It helps you keep things private Again, it is the first class thing t s id views away showing that off and people were very interested in it But then they kept on coming back to just more concrete problems Like oh, I need to get access to a customer or I'm dealing with API keys or like much more tangible like, you know, first order problems Where's ds idp is like three or four steps down the line for them Which is why we pivoted last year sort of a little bit away from it But uh, I guess in terms of projects it's still very actively there's a lot of active interest in using it internally But it's not like I'm not shipping it Thanks for friends at norlayer for sponsoring this episode So you to a fe your github org you rotate your API keys Maybe you run dependable on every repo or something like it And then you onboard a contractor by sharing a vpn config over slack and forget to revoke it for months after the contract ends And that person still has a tunnel into your internal systems Maybe even right now go check it all this from a laptop You don't control on a network you can't see well Norlayer is a network security platform built for businesses that actually operate the way modern teams do distributed remote first and moving fast It combines vpn access control and free protection into a single platform based on zero trust All the right people get access to the right resources under the right conditions No implicit trust no access lists first it deploys in minutes not months norlayer runs on norlinks their vpn protocol is built on top of vire Guard and works across every platform macOS windows linux ios android no hardware to rack no complex configs You get granular control over who access is what from where on which device and when that contractor's engagement ends We you know what revoke access from day one on one dashboard and it's done right then in air So plans are eight bucks a month gets 22 percent off norlayer right now yearly plans plus an extra 10 percent off with coupon code changelog-10-nord layer try at risk free with a 14 day money back guarantee check it out at norlayer.com slash the changelog again norlayer.com slash the changelog One of the things that are most active for you now then like I think this might be one of them given aperture's announcement And that's this is sort of the underpinnings of all that but like what are some of the other things that are more active like Even with api ikis and those are being thrown around everywhere and To some degree solved most of that and like it mentioned It's hard to tell everyone about the cool stuff you have and now you have a chance. Yeah, and thank you for that Yeah, so aperture is Definitely the evolution of a lot of that exploration last year and so for those of you who aren't aware aperture is basically an AI gateway Built on top of tsnet which I mentioned earlier that works inside of your tail net and you can expose it With our ways to expose it externally, but essentially it's a private AI gateway that lets you consolidate all of your API keys inside of it And it just looks like a node on your tail net like any other wood After spending months and months going to various AI conferences and showing off dsidp and just talking with all sorts of people like engineers Seesos people in it what have you time and time again? People were saying things like oh tsidp super fascinating interesting that you guys are working on all this kind of stuff Like I see the merits of tail scale multi-tail net Which is the other thing we've been working on internally is like super neat But what I'm really struggling with is just trying to figure out how to manage API keys because they're all over the place I can't claw them back because it'll potentially like disrupt production or some engineering workflow, you know we're trying to go really fast as a business And you know it's just the interest got API keys a lot of the place people trade them to get exfiltrated to get checked in And they have very large I guess well accounts or credit cards associated with them And so it's very hard in some cases to track usage because a lot of API calls are inherently anonymous We were sitting around at a company offsite back in November Just talking about all the things we've been learning and over the past few months and we're like well Wait a minute if if we have if we built a gateway and we used tsnet for that The gateway already knows exactly who you are because everything that connects to it over tail scale has identity baked in So if we put the API keys on side of the gateway Then you wouldn't need to share an API key with anybody inside of your company You could just say oh if you have a coding agent just point the coding agent to use the gateway instead gateway knows who you are Right, so then all the API accesses have identity associated with them All the API keys can be withdrawn And so that you end up with a single point of I guess observability control and access for your entire team So let's engineers get on board with faster because they can just tell their peers like oh just point your coding agent at the proxy Everything just works if you're on tail scale that's a security team say like great We can get rid of all the security like all the API keys that are all over the place We can just tell people Just go to HTTP for us HTTP colon slash AI And then every API call has your identity associated with it So you can just log everything and so we use aperture internally right now I think we've got I don't know how many tens of thousands of API calls across like a big part of the company at this point We've just got every every interaction with all the coding agents like going through aperture right now internally So we have full visibility into how people are using AI like all the requests all the responses like the full logs We're mining it for tool calls You know and our security team doesn't like get a review it if they need to and we're working with third party providers To like start doing analysis of logs like in real time and sort of after the fact Like there's like all this like stuff that is unlocked for us But initially it's just sort of like the simple idea like we just want to sell the API key problem And it's if I'm sort of me entering a little bit But one of the reasons I love it so much is it builds so much on top of the fact that tail sale makes things so much easier Because it takes identity and encryption that brings them way down into the stack like right at layer three Uh, and if you do that It simplifies it simplifies so much stuff on top of it and aperture is just an example of that Anybody can take TS net and build an application that looks like a node in a network and you get identity and connectivity and security baked in for free And that's it's just like it's such a joy to work with it because as a developer for years I spent so much time and heart like just as so many headaches about building authentication systems in managing you know managing infrastructure Open up firewall ports and dealing with like like whitelisting IPs and now with tail scale You just don't need to do that and then not at all.
Yeah, and with applications you build with TS net You don't need to do that. Right. So it's um, yeah, it's just been a joy to work on this project over the past while as a home lab I'm thinking about Having is aperture available to anyone is it a product? Do you have to pay for it?
How do you deliver to someone? It's I mean, it's an early alpha. Okay, right now. Uh, there is there's a self-serve flow We launched it just well, we quietly launched it a couple of weeks ago.
Oh, it's not quite now Yeah, yeah, yeah, we did a little we did more of a push just the other day on it, right, you know But if you go to aperture.talescale.com You can sign up. There's a bit of like we managed it as a wait list Just because we don't want the service to get overloaded But the idea is that we're gonna like open it up like very quickly for everybody as soon as well Yeah, we're sure that things are just gonna scale just fine But basically, you know, we will provision an instance, you know, you authenticated as a node into your network It just shows up. You can start using it right away It's you know in line with what we already do for tail scale like it's you know free for home lab use Like it's bundled it's we're gonna be announcing how we're bundling it and as part of the free plan Just you know free for home use that kind of thing just like we do Obviously, you know we're planning on it being a paid product for enterprise But we're still exploring pricing and all that there But yeah, but I want you know, I want every home lab You know anybody who's playing with LMs and API keys and stuff at home They should just be using it. It just makes things easier So like the the tail scale away Is this self-hosted then or is it not supposed to because you said provision instance?
Yeah, so we are we are hosting these instances for customers right now There is there is plans and talk about self-hosted versions and certainly enterprises like some of them would insist on that There's varying degrees of what that might mean if terms like customers might be like Oh, I want to bring my own cloud You just write the logs there But you can host the actual you know the stuff that's sticking up the CPU or so customers might want just like no We have to have everything on prem. Yeah, but but right now we wanted to get opportunity as many hands as possible as quickly as possible And the easiest way to do that and I think one of the safest ways frankly is just to let us host the instances at this point the reason I asked that question is one I said earlier that uh, I feel like the world was moving to self-hosted as a home labber I already felt that way years and years ago, but I feel that way more and more now because When the cost to produce an application that's bespoke to me goes to near zero except for my Ability to specify it and my ability to describe intent Then everyone theoretically can be a builder in this new future we're going towards And why not self-host a lot of things that I'm going to do because I'm already a homelabber That makes a lot of sense, but I imagine a lot a lot of teams a lot of tech companies a lot of non-tech companies Just like they're now tech companies. They think the same thing They want sovereignty over their things. They want to control their CPU costs They want to trust the cloud less and you know still leverage cloud native type things But in their own controlled way Especially when it comes to identity and especially when it comes to all tool calls and all responses etc I mean because as an individual AI user a team of one basically when it comes to like the things I'm building One of the things that I have anxiety about is or just I suppose not anxiety But like I just wasted was a record It sounds like with aperture I can gateway my way into all my AI and have My prompts and the responses stored there versus the compacting that happens and goes away and you even have you know In cloud code for example, you have an export we can export the the conversation basically It's like let me snapshot what we've talked about so worst case I can walk with context of the conversation Maybe not context of what we actually the underneath we described and and you know somewhere we explored I feel like that to me like I would want personally maybe this is direct feedback But like as a homelabber, I would want to self-host that especially because of how secure or Exposed I might be you know with with those it's like not self-hosting your email I think today you definitely don't do that But I think in this case it's such sensitive or could be such sensitive information I personally would prefer to self-host it and I'm curious why given that you largely haven't done a lot of infrastructure in the history of Tail scale like you've pretty much been a pointer in a lot of cases and not a lot of infrastructure required to build what you've built Why now why build out instances and hosting and I guess responsibility.
Yeah or liability is liability to all the all the abilities Yeah, no, it's a very good responsibility liability all those things. Yeah, no, no, it's a very very good question And I agree with you. I think a lot of people will want and will expect to self-host it and we do want to provide a path for that It's just yeah, sort of purpose. I get that yeah, it's early It's early and it's you know this little team of mine right now that build aperture over the past few months We're off It's cliche, but we're operating very much like a startup and it's like and it's like well We just need to choose one path and go really fast on that.
Yeah, it's like what's the quickest way we can get feedback from customers Get people you know get people experimenting with it getting to the point where we actually have like traction Like you know, it's it's do we have product market fit is the fundamental question once you have more product market fit Then we can sort of start branching out and figuring out where that takes us But this this frankly internally I also wanted to experiment like well, you know I think there is a world to your point. I think data sovereignty data governance is extremely important to people Yeah, but so is speed I think there is a lot to be said for motions where it's like, oh, no We can like tells go can help you provision instances like maybe we hook into other cloud providers or maybe we get to the point where I don't know like people could start sharing their infrastructure and compete with other people we can make it possible for people to like I don't know create their own cloud providers or some kind of like democratic cloud system using tail flip tail skill infrastructure But I wanted to experiment with the idea of like well, how what would it take or How much would customers resist a like I just want to launch an instance of my network Like just make it easy for me like just give me a one click drop a note in right because there are still the Like we can't just simply start injecting those into customers networks like people have to authenticate them in so There's a lot of guarantees that we already have in terms of our ability to just or the lack thereof to let me take over customers networks And I think a lot of customers just want the speed and convenience just to try something out So we made a decision it's working out really well so far I've been actually surprised with how many people have just been willing to say like yes spin it up add it to my network You know At some point we might want to have a conversation about self-hosting but for the purposes of experimenting with it now Like this is totally fine because we trust you guys but yeah, it's really days for us too You know, there's something else I'm this thread I'm pulling on to with this self-hosted world is like, you know, especially in your history and just just go with me here And think I think a lot of you don't mind put all your cars on the table David I've been thinking about this world of self-hosted like we just had a really good conversation with the founder of teal draw And one of the things that teal draw basically does is sell an SDK So it's not even you know fully big software. It's it's the SDK to build on top of you know It's the concentrate you just add water essentially, which is one kind of fasting idea great business a lot of upside No infrastructure, you know high margins because the there's there's no service to spin up There's no attached to AWS or DCP or you pick your cloud and you're you're now competing with them at some point because you got software that you're Putting up in the world as licensed software whether it's truly, you know MIT license open source or it's source available open source code not to blend the terms there just to be clear about that But you got this world where you have I think we'll have a lot more people wanting to self-host and those people can still be customers You know, have you all explored or have you even thought about yet? If you went that route how you can license it and still sell licenses of it where you can provide essentially a source available version to the open source world It hey, if you're in a home app environment like you do now totally free this license applies to you But if you're in production or you're in an enterprise or you're in this kind of business class the sources available Contributions are not necessarily what you're trying to achieve But you don't have your code out there so you can see it But then you're also saying here's a license to you or here's a license per node You want to have you want to have an aperture instance in your stack You would have multiple you don't see what you need multiple Maybe just one is fine, but you got maybe a per user license or a per node license You tell me I don't know how it actually permeates went into the network But have you explored that world yet?
Are you planning? Yeah, we're planning to we've definitely started talking about it even some of these bigger We've had a lot of enterprises show up that are very interested in aperture and they've been bringing these things up with us as well I think I think there's a world of possibilities for us there I'm like I'm a big fan of open source in general And I'm a big fan of like self-hosting things. I like to play around with it like think I like I'm in control I like to be able to just turn them off what I want to get a home lab David, of course I mean, that's where we bake all our ideas first. We take them.
We do them in the home lab We figured out how it works. We nerd out we learn we explore and then we take it to where we're going That's kind of cool stuff. Yeah, exactly and Yeah, I think with me is like the bigger thing that just keeps me going as a founder It's like I want everybody in the world to be using tail scale because it's just a better way to do networking Right and so anything that's going to encourage that I want to pursue it And I think obviously you know having a self-hosted version of aperture is one way that that will it'll enable that getting more people just to build TSN applications It's another way to do it. So everything's on the table right now for the purposes of I guess just speed and getting feedback and figuring out where we need to go next.
Yeah. Yeah This model that we have right now I think is the best one because frankly we're making updates and rolling it features so quickly that trying to manage those with self-hosted installations and like Working with database upgrades and also security and everything behind them. They just We sort of did a bit of the math or like we need to choose one path and keep it super simple and just manage things like aggressively So it makes sense in this case then to cloud first not because you're not for self-hosting because you need to maintain velocity Yeah, and the only way you can really maintain reliable velocity in this case is to have your own instances But in the future if someone says hey, you know what I love this I'm down for it except I want to self-host then when the product has proven itself that makes more sense later on that makes a lot of sense Yeah, that's where that's where I'd like to go with it for sure It's easy to say that it's easy for me to say hey just hey David just you know make this a self-hosted instance, right? I mean it's easy to say those words but then to actually support it Is the challenge because then you have versions out there and I suppose you do have database migrations But I mean if you know which version you're on you can pin to a version and you do a good job with engineering and database migrations Then that can largely be collapsed to almost no pain.
I get that it can be painful Then you also have containers Docker is certainly one of the things you can do that with they've rolled out harden images I'm sure they would easily roll you into you know an aperture harden image that you just go home It's there you're using the latest version of the kind of thing There's a lot of things you can do to simplify it from a hostest standpoint or self-hostest standpoint That doesn't have to be here's my code. It is a binary to write you say get to go binary You're largely a go shop. So I mean go binary is plus than D or go binary plus Container is pretty easy worlds to navigate for the most part. So yeah, yeah, it is designed to be portable like that Yeah, I mean I'm excited about all the stuff you're mentioning It's definitely stuff we talked about internally as well the moment you offer I mean I'm gonna try to no matter what but I would the moment I mean I'm a self-hoster and in fact, uh, we'll side note here I want Alex to bring back self-host it so bad because I feel like Now is the time to bring back the podcast self-hosted.
I don't know he's thinking about it I know he's got a big job to do for you all there. Maybe he's just too busy. Can't think about it But I like the idea because there's just so much happening there. Yeah, um, yeah So aperture is built on TS net you mentioned TS net applications What are some other things like can I go build on TS net like if I'm a builder what ideas can you give this world to say?
You know what we can't do it all here's some ideas Do you want me to build do you want people like me to build on TS net or do you want the only application builder? Oh, no, no, no, no, like yeah, the bigger arc here is like I think tail scale Can and should become a platform. I think every platform needs a few killer apps Yeah, and it needs to sort of lead the way it needs to demonstrate to people like look This is viable Like this is why you should spend your time on this kind of thing because there's an ecosystem that you can plug into And aperture was definitely one of those it's definitely one of those projects for us Now if somebody else goes and takes an existing I get way and retrofits it on top of the tail scale That's a win-win as far as I'm concerned just more people are using tail scale customers are have a better security You know more people are just familiar with TS net, which is fantastic When you start thinking about tail scale in terms of like oh, I can create a private network And I can add things to it and then I can start controlling access to it and it's just like it's very abstract I guess model There's a lot of different kinds of opportunities and problems that can help to solve and I will say there is something that we've started talking About more in the past 12 months is some called multi-tail net We have a blog post or two about that Which is the ability for you to create multiple independent tail nets instead of your your order your team or your home Right and there's there's API only ones right now Which is basically for machine to machine use cases like there's not a strong notion of identity like a user identity and then there's There's ones that are more that more I guess they're more directly tied to the user identities So we've got some customers that have like a staging tail net and a testing tail net and then like user identities the first-class thing Those I believe those I guess those tracks of development will converge at some point But there's already some really incredible stuff you can do with multi-tail nets for instance And that's one of the reasons I think things like aperture and TS net are so fascinating and that I could create a separate tail net And I can make sure that we say nothing kind of skate from that and I can go off and do its thing and I can run coding agents in like yolo mode Right. I can have them connect to MCP servers And you know I have permissions that I can fly around and side of the network and it's all nice and contained And you can use tail scale for that kind of thing That's what I'm those are the kinds of areas where I'm really excited for people to start experimenting with and bring up ideas I'm just like oh like if tail scale did this for me or if it like let me export this kind of thing or if it could transport this kind of policy Or if I could connect to these different things that I could achieve x and I want to hear more of those ideas So that we can start building more stuff and more features at the edge so that people start using tail scale wars platform Yeah, I thought to explore the idea not so much in this podcast But something that's on my plate is network isolation like spinning up an instance.
Let's just say I like an ink as many chance Canonical used to have lxd This is what I'm exploring. I'm learning more about so I'm sure my audience will be like I have to get yourself up to speed here Okay, I'll attempt to follow this here ink is like system level containers So versus Docker where it's a protocol it runs on the system It spins up instances and it is a go binary. It's built on go the person who invented it for canonical Ubuntu's Parent company it was called lxd. I think they had a licensed snafu I don't know what happened there But something happened licensing wise that made canonical change the direction of it and remove it away from I believe it's Linux containers Dot org if I can recall let me just check my notes here So I don't check up that yeah Linux containers work, which if you go there, you will see Inca You'll see Inca's OS.
You'll see Alex C Which is something you use in Proxmox distro builder which can do some cool stuff with like better distributions But Inca's actually go their home page So I don't actually jack up what they say Inca's is a next-generation system container application container and virtual machine manager So much like you can do a VM and you want to actually have control of the kernel or the container itself can be you're borrowing the OS level the host level kernel where a VM you want to have your own kernel so can do both of those In easy exchange. So they're unlike Proxmox. They're very much differentiated and actually largely abandoned from a CLI standpoint They don't really have a good CLI in the Proxmox world So if you want to spin up a new VM or a new Alex C You got to do a bunch of clicking inside the web UI Painful whereas Inca's is got a really great CLI You can script a lot of this stuff and the difference between a container and a VM from a scripting API CLI world is the same Like the same kind of commands but arbitrarily different whenever you spin them up. Why am I telling you this?
Okay, the reason I'm telling you this is like is I want to I want to spin up different layers of Incas or a different container of VM And I want them to be in an isolated state. I want that particular Container to know nothing about anything else about it as far as it's concerned. It's in the black space Like it's literally there's no star around it. There's no asteroid.
There's no planet There's no moon like it's just in a sea of abyss and all I could do is do internet traffic out pull down updates send traffic back But to its peers there is no peer you could do that with typical networking But it sounds like with a multi net or some till net food that I just don't have yet That I'm still learning about I might be able to jail one of those containers or VMs in ways I just weren't wasn't able to before so that's why I'm camping out is like this world of like network isolation Put that new instance that new VM or new container into network jail essentially Basically, yeah I mean a lot of the stuff you can do with multi-tail nets You can you can do with I just modifying the policy file in a single-tail net. You know if your rules are aggressive enough for instance Yeah But there's definitely there's a lot of people that were like no I just want I don't want to mess around with a complex policy file It's too risky or I'm dealing with multiple customers and my customers demand, you know complete guarantees and isolation between them Like I don't want to be managing somewhere. I accidentally like add a star somewhere that all the customers can see each other for instance And so multi-tail net is definitely it's it's it's it facilitates that significantly a lot of it's just peace of mind Like oh no, I have this particular tail net is used exclusively for this. It can't like it's not like it can make a lateral It can't move laterally to a different tail net like they're completely isolated from each other Right, so it gives a lot of people just peace of mind and frankly it's just it's like a divide and conquer kind of problem It's like well why I have like one big complex helmet when I can have two simple ones Or I have my own that I've authenticated with because you said you have to have an OIDC provider I've got to authenticate with tail scale with one of those providers could be Google could be get help could be whomever I choose And so that establishes my tail net and then beneath me building on tail scale I want to be able to have a whole separate tail net that is not I guess even tied to mine, but something I can talk to but it's isolated That's where I think you provide some networking that is just like dark arts essentially Yeah, well, yeah with well with the API only tell this you basically when you create when you get I mean you get a wealth client back and then with that wealth client, you can do things like ad knows crad off keys provision stuff Like within that particular tail net.
So there is it is so tied with like as what you might call the primary tail net Like it is associated with that, but you know for all intents and purposes it's a separate network Right. Well for me to spin up another sub tail net. I have to have a tail net Which means I have to authenticate the tail scale, right? So I have to have the a tail net to begin with to spawn sub-tail nets that are Basically blue, you know, they're just balloons.
They're by themselves They don't have a clue whoever else is around them just but I have to have to have a tail scale and a tail net to create sub-tail nets Yes, exactly. Yeah, yeah Well friends this episode is brought to you by our friends at Squarespace the all-in website platform for building your online presence and running your business Here's what we have learned over the years The best developers out there know when to build and when to buy and you could hand roll a booking system Why up stripe build an invoicing workflow stitch together email marketing and honestly you'd probably do a great job doing that But that's weeks of your life spent on infrastructure that is interact with thing Sometimes it's most movies choosing the right tool so you can focus on what actually matters to you That's squarespace is the all-in platform that handles the business side of whatever you're building for yourself for someone for friend whomever and two things I think are worth noting first offering services if you're doing consulting workshops freelance dev mentoring content Squarespace brings scheduling invoicing online payments and emo marketing together in one single place one dashboard You list your offerings clients book and pay and you skip the part where you are playing accounts receivable in your dms And it's a real business. It's a business workflow Not a pile of sass subscriptions that are kind of duct tape together Second selling content if you've got your course ideas your video tutorial ideas or deep or deep technical content Even mean to package up squarespace let you gate it behind a paywall one-time fee or subscription It's your call recurring revenue from expertise. You've already built That's a good trade and the point isn't that you can't build this stuff is that should you maybe not?
Okay, head to squarespace.com slash changelow for a free trial And when you're ready to launch use our offer code changelog to save 10% off your first purchase of a website or a domain That's squarespace.com slash changelog and we use our link of course you're supporting the show and we love that once again squarespace.com We got there by talking about different applications you think can be built on top of tsnet And I think where we may have dropped off I'm not giving a good trail for and I know the listeners may be pinched upset if we didn't do this yet It's like can you give me a couple ideas? Like if you can go and if you were at a if you're in the hallway at a conference right now And you're just talking to some folks, you know what? Here's you can go and build on on your tsnet or tsnet application Here's a place you can go play if an enterprise can't even and they're like, you know We're just leveraging our tail scale our tail net in these ways How what are some problems they're coming to you with that you're like we're not gonna get that for a while These are things you should build what problems are some of your largest customers Just you know on your not that's what you're in a case about But what's the loudest cry in the woods of this is what I want to build on top of my tsnet One of the bigger issues that a lot of especially larger companies that I've seen coming up more recently is They have a traditional network traditional VPN. It's like one monolithic thing And they're trying to bring up MCP servers and trying to bring up MCP clients And they've got these notions of like they basically are thinking like oh I've got now agents that are trying to operate inside of the network the same way humans used to Except Well, I don't need to go on about the dangers of sort of letting a an agent run among an internal corporate network It's yeah, they're coming yeah Yeah, it's it's becoming obviously more and more an issue for like especially bigger organizations that are that have like traditionally dealt with security from like I'm sort of a very centralized monolithic Yes perspective So I think there's definitely been this push of just like okay How do we start like a segmenting or isolating or subdividing our network?
How do we start decentralizing it more so that we can enable these different teams and pockets of the company to work more independently with each other Or within the like within sorry to work independently to solve like particular domain problems while still I guess enabling the velocity and freedom of access to like required information Right, so I think I think tailscales actually a way that companies can do that I think there's a lot of different approaches, but that makes it easy It's just like okay, well said like one gigantic model is like network Like maybe you start building like one tail net per workload for instance And we've seen this kind of thing with people who are playing around with Kubernetes Right, and they have like custom internal tooling that they need to like some kind of internal monitoring system That's like oh no when we bring up a cluster We've got these applications that need to sit inside of it has to sort of moderate or govern certain kinds of networking access Like we do a bunch of like log analysis Maybe we do a bunch of real-time stuff like how do we how do we insert these applications that we've built into like these networks You know in an isolated way And so I think there's a lot of internal applications inside of companies that need to stay internal in private Tales good for that kind of thing you can retrofit them into inside of tsnet And then you can encapsulate sort of entire workloads inside of tail nets themselves And it keeps it helps people reason much more about like a safety and security that way Where does someone gets more details about multi-nets than because this is yeah, I mean I'm sorry multi-tail net. Yes, let me let me be on brand with that like that. Yeah Yeah, I just wrote a multi net because everything else is something that is like multi net I'm just trying to follow your lead there David. No, no, it's good And in fact, I'm sure a product team will watch this video maybe and maybe think more about the name We've been debating an internally of how to call these like what to call these things There have been a couple of blog posts even over the past year So even if you're to google for like tail scale multi-tail net you would find one It is I believe in beta right now.
I'd have to double check that But it is accessible. Yeah to home lab users. Yep. Sweet.
Okay. While you're doing that look up here I'll fill some air with this. I think for the branding team or marketing whoever's listening Our listeners is what I think the better name actually is multi-tail net because you already say tail net It would not make sense to like shorten that to multi net I messed up and so I put my like branding head on thinking about how I would actually frame it my own mind if we're my product And I would call it a multi-tail net because that's truly what it is. That's what makes the most sense to me as well So if that's what you're thinking good job.
Yeah, I just double check Yeah, so we our marketing team did a great job with this fall update We had back in October and there's a blog post called one organization multiple tail nets It talks about this over a page or two And then just how things are at least at the time of this blog post and in alpha program But we've been you know steadily working on these features related to multi-tail nets over that time I'm super interested in this. I love to see where this goes because I think there's a lot of a lot of opportunity with subnets multi tail nets You know this problem that your you know your customers are bringing to you I can care with that because there's things that I'm doing inside my network that essentially is on my flat vlan You know I got my traditional network that's across you know my 192 space And then I got my tail net of course And there's things I want to isolate that I'm just not you know And I guess I'm just crossing my fingers because I'm moving a velocity that doesn't let me slow down enough to be secure And that's the job of tail skill I feel like that's where you know That's why I use tails because why I keep you know investing more and more my knowledge into what you are doing because you guys are like Just networking wizards and you love go. I love go. Yeah, uh If you're not gonna be a gopher con this year david y'all should reconsider that Go for cons the best place to be Um Yeah, I just think this is super cool this idea of multi tail nets So I want to like dig into this between this and uh ts oi was it my gosh So many acronyms on my notes here Don't tell me their names.
We need their names for these things. It's okay though I mean it is a ts idp that doesn't make sense that they tail scale Identity provider that totally makes sense. It's just so many acronyms in this world It's hard to keep them all yeah on the tip of my tongues you got a lot to cover there So those are two things I'm taking away from this for me personally on homework Uh because I don't want to log into my proximal anymore I don't know log into certain things I'm self-hosting if everything I still post but has a login prompt even my true Nas box if I if my true Nas box can be oidc compliant and let me use Uh this ts idp gosh i'm on it Then that'd be great, you know because I don't have the login anymore That'd be awesome if I might then he could truly just follow me and I think the the challenge and I think for you all is it's a Constant I would say marketing battle, but I think it's like a You have so many homelabbers out there Uh so many people probably playing with their stuff you need more people just naturally sharing this stuff And I know Alice does a great job of your YouTube channel. I mean just tremendous job on that front there Yeah, I think you're gonna constantly have this problem Yeah, but I don't envy your position at all with constantly having to update people But there's just a sea of great stuff underneath tail scale from multi-tail net to the things we just talked about Those are the things I'm walking away with you know I do want to circle back to if you don't mind this idea of of aperture and really just this less about the product But more about this idea of having an AI gateway.
Yeah, help me understand Why you feel so strongly about it? I imagine you do because I kind of having this feeling too is that I'm not sure if I'd apply it my home. I think maybe I would but certainly in a burgeoning team a small team Definitely a smaller business or an enterprise where you're sort of like mid small to medium size But this idea of an AI gateway one for security two for API keys and just like the the concerns there But even just me have not having to have this anxiety of loss when it comes to transactions I'm doing with a generative AI where I'm knee deep in a world. We're exploring it You know, it's largely just pros.
It's largely defining specifications large to defining intent It's largely even learning about things building two applications just to learn not something so much to build them to ship it to the world But to learn about you know even authentication like when I go play with multi-tenants later on I'm gonna go build a toy application and I'm gonna work with me how to do that also But it sounds like the gateway can help me have a transactional case tree Help me understand that world of an AI gateway and what people can do with it. Yeah, so I mean We're definitely not the first person to build an AI gateway, you know It's a I mentioned this in the blog post just the other day But you know I was talking with another founder like months and months ago and they're just like we're just talking about the proliferation of gateways And we're like oh, it's the obvious idea is like and I agreed at the time, you know But then later on I realized oh no there's a tail scale spin that can make things much simpler and so we should just show the world that But aperture in particular I think maybe should talk about it But the reasons I love working with it sure because I think I'll resonate even like need even 12 months of issues or research You must have if you don't love it. We got problems. Yeah, I know I love it because it's it's it's kind of like tail scale the first time you use it It's just like oh my gosh everything just got easier and you know it entails like tail scale that seeing that wow Or that realization is just like wait, it's like here's like here's like here's all the work I didn't have to do kind of thing and after it's kind of the same thing It's like oh, I just you have a gateway if you were cutting it rather that you can point at a proxy you can use you can use aperture If using API keys and so I I mean I I run a aperture on my home lab and the reason being is just like oh no I've got a server I like to run everything through it.
I like to have all my logs You know like I just I just want one spot that you know if I'm working on my laptop or elsewhere And I need to connect to my tail net I just have a single path something where I just know I'm just gonna write everything You know so I can take my tail net anywhere like that's one of the nice benefits of it all from from a team perspective it lets us It doesn't have full visibility into the logs of other members of our team Right, so I can it's like oh how is like, you know my teammate Ben like how does he write props? Why like why are his why are things with like he does things much more efficiently than me, right? I'm curious like oh I want to learn from Ben like how is he constructing prompts? How is like how are he like how is he interacting with these lms?
Let's just have access to all sorts of I guess different back-end so you know We just called code extensively you can get to opus like through a variety means you can go directly to anthropic You can use bedrock, you know So we've got both of those configured inside of tail scale and so like you know There's been times where like anthropic or bedrock of head issues would be able to just quickly like switch over to the other one It gives us obviously like it's metrics and so I token usage across the team So like input output cache tokens reasoning tokens using white that kind of workload It gives a security team visibility because like most people don't realize this like every Every API call is stateless, right? Which basically means that entire context window is getting shipped back and forth across the wire every single time Like we log every single one of those and so and then we've got we've got some tech in there So they can consolidate those in the sessions, right? So that you can actually like you can go through all the API calls and I've given code in session So to get context and understand what's going on with that Which is really helpful for visibility It's like oh like what was currently working on at 2 a.m for instance And then from I guess maybe more of a like a legal and a compliance standpoint You could actually start you know You could start pointing your get histories back to individual coding sessions You're like oh like this code was developed in conjunction with this developer Like and here's the proof of why and who contributed to it and how because I know that's an issue That's a legal team's about our security team, you know, we can export the logs There's a lot of like post-doc analysis You can do and those kinds of things we're working with integration partners to do like sort of real-time investigations of like tool calls for instance or like like or like After the fact log analysis, so there's a bunch of fascinating stuff there. Could you plot things?
Yes, I mean the short answer is yes Something like a firewall like a firewall even too. Yeah, and you can do so much of this gateway Yes, you can and there are So we mentioned them in this in a blog post just the other day, but there's some integration partners Oh, so there's one servos and other yeah, and so yeah, they've been great Like to work with over just over the past few weeks, but yeah, we have an integration with them where We've got some we have an API for instance, you know tool call hooks like they can intercept them They can analyze those and you can start to do things like where you can dynamically adjust your network Or your security policy based on effectively real-time signals. Yeah, like actually what's being called what's being prompted What's is that what you mean about that? Like if I'm trying to do not so much nefarious things, but let's just like dangerous things Yes, I could be a new developer new builder Uh, or just maybe have all three motives.
Who knows what but like could you pay attention essentially and like do different things and react or you have Or you have or you have like an agent that is starting to get a little bit more fast and lose with the rules and starting to access things that may just be Yeah, okay. Yeah, and so there's there's there's ways You know, we can send signals out to those tools and those tools have like their own kind of like as application level like network policy That they can start to adapt in real-time based on signals getting from aperture because it's all centralized So you can say like oh this thing like this agent or this person or whatever like they're deviating a little bit off of like the regular kind of behavior Maybe we should start walking down or auditing more slowing down their interactions with these kinds of resources There's nothing to see involved in this if you're doing like tool level Is it literally like are you does the call go to the gateway back the agent to allow it or is it just paying attention and sniffing it? Well right now, it's just a sniffing part. We actually are working on I guess adding an approval loop like our m's are like you don't don't do our m's that are like dangerous rms for example Yes, do so let's get to remove files and add files and take things away So yes, do that But if I can intercept a really dangerous rm or a single injection or a database drop or a table drop or you know who knows what?
Like I would want that that's where I want the gateway to even as a developer Give me the ability to go in the dangerous zone of using the agent because I want it to have free rain I really hate sitting there babysitting the yeses in the nose like oh yes, please commit and push the code I don't want to tell you to commit and push that's inherent. That's what we do here, okay It's part of like getting in and out the door. Let's do I don't want to babysit you doing that So I almost live in the dangerous world. I do live in the dangerous world So like I do dash changes a lot on pick your you know codex, opus, whatever Um, but I feel like this gateway could be my security policy and maybe even my own my own personal big brother in a way Yeah, it's uh, like tells go we're not gonna build the entire ecosystem It's one of the reasons we want partners so early to demonstrate that like oh no We want to work with a lot of people.
We're not gonna like we're not gonna build everything ourselves by any stretch of the imagination Uh, there's a lot of really incredible tech out there that you know We want to be able to plug into a lot of great teams doing like deep research on this kind of stuff Like we we think of our tail-scale and is generally like a very broad horizontal like connectivity platform It's like pretty deep in this like in the stack. There's a lot of a lot of great tech that can be built on top of that Um, it's also just part of a security solution I mean I there's no way I'm gonna run a coding agent on my machine in like, you know with dangerously skip permissions for instance I'm gonna do that in the sandbox. No, I'm doing it. I'm doing it.
Oh gosh I'm doing it locally. I have a sandbox. I have a sandbox in the cloud provider that I can't get out And uh, you know, I go put my S's H keys on that thing. I just I push things to it You know, and I think there's I know my colleague Avery I see you know, he's been experimenting a lot with this kind of stuff too Just like yeah, because like velocity is super important You know these agents nowadays and like just like the code like hell ends are just improving dramatically week over week I want to give them I want to really leverage that safely and I think aperture is part of that safety solution But it's not the whole answer.
So you built an AI gateway with identity baked in Uh, API keys and I have to pass around a lot of benefits here. You mentioned the desire for partners I give you an idea of like what you mean by that You said we're not gonna build all that and you alluded to all that we talked through a bunch of stuff I mentioned agent policy and stuff like that What do you mean by all of that and how could partners step in how can an individual team of one step in and become a partner of Of tail scale and build out what you're not gonna build out. Well, um, I mean they can contact me Okay, I have a conversation with companies and individuals working in the space. What's the best way to reach you?
You want to say your email address here or is it is there another way to get a hold of you? Oh, just aperture tail scale up. Okay. I see it.
Yeah, that's you. Uh, yeah, well, it's it's me and the team It's it's you plus. Yeah, it's the proverbial you. Yeah, and uh, aperture is ap er is that right?
Or ap ur yeah ap. I always miss bill I mean listen ever since aperture apple have this sulfur called aperture for photographers if you know this, you know, 15 years ago It was amazing. They don't make any more. I've never been able to spell aperture properly.
It's like I remind myself Uh, you know, I before e after like every single time my brain doesn't get it. Okay, so please spell aperture if you don't mind info Yeah, ap er ture But then the show notes for everyone to get a hold of you is I'm curious about this. I think this is cool Uh, I mean when I first heard about I was thinking my gosh big brother But then we kind of need a big brother in a way because agents can't be trusted until we could trust them We sort of have to big brother them because already big brothering us in a way And logging all the things to me gives me some peace of mind because I want history I want my own history and from a an enterprise standpoint and maybe a peer standpoint And it might be a little weird to see what david's coding or how you're prompting But I don't know I think we're gonna have to be just okay with that to some degree But I'm gonna want to learn or peek over your shoulder and say well, david's clearly like 10xing my own 10x here Was he prompting here? You know, how is he was magic?
He is he is doing here Maybe it's just like do it. Yeah, is that your prop david? Just do it. Oh, there's been I've been tempted sometimes.
That's my problem It's like yeah, there's this idea do it now like that sounds great. That's an amazing idea I gave you the original idea you morphed it now. It's amazing. Yeah, do it do play one.
I love that Yeah, I spent a lot of time in planning mode with Claude. Yeah. Yeah, it is crazy though Like how fast those tools can let you move and the stuff they can do if left unchecked you got to be careful I think you know, I guess comments on a couple things you just said like There's There is we got some basic permissions with aperture right now You know, like users can only see their own stuff for instance and it's it means can see the world Like we've got a lot of stuff to implement there But oh, maybe we only want a team to be able to see like, you know logs within their team Maybe we only want to manage or to see the team members like there's all these different kinds of I guess access models that we need to explore With customers on this and we are doing that so there's um, there's a lot of room for new features there But again, we're just trying to keep things simple at this point In terms of what are the neat hacks that we've done internally and I really like this one is that you can actually point a coding agent Because we have an API there's like there's There's like a whole bunch of endpoints inside of aperture And one of the endpoints inside of your tailmed is that you could actually get your own logs out of it Right, so you can you could point a coding agent and say like, oh, I want you to explore like basically how you've worked in the past Right, and so you can start to get like these recursive, I guess like learning or feedback loops with a coding agent Like reviewing how it's worked in the past or reviewing its previous logs Right, and I think you can unlock I think there's a lot to unlock with that You know, we've just only started to scratch the surface But as you know, there's some really interesting insights for us as we've been digging into like, oh, how do these protocols work? For instance, like how these coding agents sent the function like how like when they start delegating stuff using some agents like how does that kind of Those mechanics work And so I think for a homelabber that you if you want to explore more about Just like the protocols and the request headers and the bodies and like how these coding agents are sort of like You know how the API calls evolve and how the context evolve is super neat I like the fifth job access model that gives me more peace of mind because you know, it's gateways are great You already have it the network so you can't hide from that and the IP addresses DNS those reveal a lot about an individual Uh, but you know an LLM and your interaction with a model like we do today reveals You know a lot more because you may say hey, I'm new to this scenario and like maybe your team thinks you're really steep in it Whatever I think you're more advanced and that's not so much judgment happens But you you may show or have to be more truthful with your awareness and level of understanding of something And that may be either one be embarrassing or a fireball fence or I don't know But then you start to think about like okay, who has access the information?
I realize this is all work stuff, but I have to be and we're almost getting more and more I don't want to say the word intimate, but it kind of is the word a little bit more relational a little bit more intimate with the other side Let's just say the the machine behind the machine Uh, because it feels a lot like we're talking to something ap here And it in a lot of ways it acts as a peer as an educational peer education is dramatically changing let alone Code level understanding like navigating codebase is so much different today than it was like like not even 180 like 720 different In terms of like spins that it's just dramatically different to navigate codebase and have an understanding In a world where you have agent properties available to you In a lot of cases you might be more forthcoming with the agent because you have to be you know to get it to give you what you need You're gonna have to be like, you know what? I don't know a lot about this subject matter You know, can you can you can you steep me in it? Can you school me where we want you to learn here? Can we build a toy application and then you get launched into it, but it can be a little revealing Sometimes maybe too exposed and that's where I that's where I was like, you know what?
I like the fact you have guardrails because I was a little little apprehensive myself and my own self-hosted version of it Yeah, that's cool because I might do it to me, but somebody else might if I'm in enterprise Yeah, totally. No, I I like when I started using coding agents like the prompt like I almost I'm scared to go back because it might be Right. Like oh, I was burning a lot of tokens on useless things Like I didn't know how to use this tool properly But the things we're all trying to learn how to use these tools properly and the thing is they change every like few months Like I think back to you know what like earlier son of versions back in September versus what I'm using now Yeah, it's like day the capabilities like you have to like teams really have to stay on top of the stuff if you want to keep up with it Yeah, so I you know, yeah privacy obviously like Securities key I think I think people have to be pretty open and candid and transparent if they actually want to learn the space I'm like really leveraging and getting advice from other people too, which is another one of the reasons I wanted I'm so excited about aperture just in terms of like the transformation I think it can help our company make because you know, we're seven years old You know, we've got a lot of incredible engineers and other people working on all sorts of technical stuff When we started the company LOMs basically didn't exist, you know, and The industry is now like I dare think where it's gonna be a year from now We have to adapt and learn more about these things But a world where people are just like just clicking yes all the time is not a world I want I want us to be like like leveling up and I think to do that you have to You have to sort of look at what you did. It's kind of like code reviews just much more aggressively It's like prompt reviews and just understanding like how do these tools work?
How do our workloads needs to change like where did this like where did this agent go wrong? Like where did they make the wrong kind of assumptions? How do we have to shape our code base? So it doesn't do this in the future that kind of stuff like there's there's so much Uh, I guess knowledge that we have to uncover of how to work with these tools going forward to make them effective A lot of the fact that prompt review and PR pull request doesn't actually translate You know that was like serendipitous 17 years ago when you haven't said that itself and said okay pull requests are the thing fork yourself kind of stuff Yeah, that was like the the the founding Uh detail of github was being able to fork a code base and submit a pull request It was brand new territory and and now look at us.
We're just talking to our code bases. I still can't believe it I still can't believe it. I have to pinch myself every day like that's crazy. I'm not about you, but um Uh gpt 5.3 codex is really I've just never worked with an agent that was that um Advanced it's like the working with the most advanced engineer ever And in some case i'm a little pissed because it's like it knows way more than I think I would ever know And I'm almost like yeah, I know a lot about this But like wow you're clearly you're speaking a whole different language and you're moving way faster than I can ever do it And it's a little scary.
It's a little scary But I I think this gateway idea has got some merit especially in the field you're trying to go to which you need a killer app Right you need a killer app on on tail scale that is beyond the VPN, right? So this is taking you beyond the VPN it's taking identity in a whole new place It's securing our API keys and ways we've never been able to before in a world that is burgeoning and very tumultuous in terms of security So I'm all for this. My only My only desire would be uh self-hosted at some point and whenever you get that obviously, you know I'll check out in a matter what between now and then but I'm gonna be in a world where and this is just my own personal pain I just been in this world where these are the kind of things that I want to have sovereignty over and I already have compute So why not dedicate my own compute to it? I'm happy to pay a licensing fee or you know the business won't have ready to go But I'm in this world where I want to self-host a lot more than I ever wanted to be for and it's not It's not that I don't trust the world.
It's when I want to have more control over the world I'm building and they're already interconnected. I've already used to tell us already have my tail net I haven't tapped into multi-tail nets yet. I'm going to that's what I'm at is is uh give me the self-hosted version of it because that's gonna be Ask me fun. I hear you.
Yeah, I hear you. What's uh, what's left? What if I not asked you David about your journey With tail scale what you think people do and don't know it like what is the biggest myth if you get to bunk a myth About tail scale. What might that be?
Do you often have to debunk myths about what you do and what you don't do and how deep of a well You all have uh what are they one of the myths is that we're just for home average or small teams That's not true. Like we've got a significant number of enterprise customers Uh, but I've often heard and call or like, you know, well, but the people at conferences Who were like, oh, like so and so was saying that, you know, you're just for home labs or you're just for small teams You're just like a hobbyist kind of things like no, we're serious like, you know having a free most of the most advanced engineers I've ever known of like you got some really talented people in your team. I'm I'm very I know you'll do that. Yeah, you really do have some serious internet talent.
Yeah, we do. Uh, yeah, I'm very grateful for that It's yes an incredible team um, refus patch is one of the ones I'm thinking like he's been on our podcast go time used to host this podcast called go time That's why I'm so excited about bill for con even two and and go the language and brad's been on that podcast And I think I'm not sure who all is still there over these all these years But a lot of folks that I just paid attention to and have like leaned on for wisdom on how to morally navigate the software building Uh, even from a technical level like just bar not some really awesome people there. Yeah. Yeah, I I count my blessings Uh for the team we have um, but yeah to talk about the myths, you know, we are we're never gonna give up having a free plan You know, I think free for every vice.
Yeah, free forever like we're gonna have we're always gonna have something and we're gonna be pushing more More into that over time. Uh, that's really important to Avery I mean so many other members of tail scale in general, uh, but you know We are building more and more stuff all the time and a lot of that has enabled us to just take on bigger and bigger and bigger customers to help You know, frankly, but pay the bills and help us grow and help us expand and it just makes tail scale a better product for everyone Right, and so uh, we are definitely like enterprise ready and that has been one of the myths that over the past couple years We've we've done a lot I think to establish that but there's always more I think we could do because we've come bottom up And so there's always that you know people who learn about you in the early days That's how they think about you as like the curse of sass like once somebody adopts you You have to spend so much time re-educating them because like you know about exchanging of all the lot, right? And so had a lot of early adoption And we have to go back and just talk more about what we did and the technologies we built in like where we're acting with our customers and stuff Uh, that's one of the myths. Uh, the other one is that we're just a VPN Tail scales more than a VPN a lot of like conventional VPNs.
It's all about IPs and connections like tail scale makes identity in Um, it's yeah, it's a fundamental guarantee of every connection Like you know who and what is connecting like if it can connect to you It's already authorized and you know, you can tell who it is immediately like you know who it is Um, and that is that's more of a paradigm shift where people think about like connectivity and identity being the sort of the same thing Or paired very closely together, which is uh, not how most people think about like networking They think about oh, I've got this con. I've got this connection and then I've got identity That's like way on top somewhere like a layer seven. It's like oh, no, no It's what tail scale is like it's baked in and if it is you can just do so much more with that You don't have to think of worry about identity and I think that once people get their head around it Like you can see these lights go off That's that's the real sort of yeah, like I said paradigm shift I want to bring to people I do not know what you can do differently because I may I would say I'm a pretty steep user of tail scale And and even some of the things you're saying now about these myths They're myths even to me as a as a daily active user of tail scale. I don't know what you do what you can do to solve for that problem Um, but I agree not just a vpn.
It's unclear to me how Um, it all the ways that my identity is attached to my it obviously makes sense not to explain that But it's just not obvious in my daily use of it. Uh, even when I uh, ssh around my network I don't do it via tailsk. I don't think I will ssh via tailsk with like maybe let's say If I have a machine that has a host name of cineplex so my plex machine is called cineplex So I like like that. I'll just ssh cineplex.
I don't know if I'm using any special niceties of tailsk Besides maybe host name mapping. That's about it. Probably. I'm not using my tail scale identity I don't think uh, that's that's maybe and that's maybe my own fault.
Maybe it's your fault I don't know but uh, I agree like I feel like I learn more and more about what tail scale can do for me because you do so much And I don't know how you explain to folks more differently than you already do. Um, besides just keep I guess keep trying. I don't know It's yeah, it's I mean it's um Yeah, good infrastructure gets out of your way really quickly and that's been a guiding principle for us ever since they won Yeah, you know, so it's you know, you don't want infrastructure to make noise. Uh at the same time It would be awfully nice if more people sort of I don't know like just understood all the cool stuff that we were building So it's it's a very tricky balance because we try to be very sort of quiet just works like always works in the background Do we want to make a lot of noise a better new feature like it?
Yeah creates tension. I'd say we try to be very cautious with that like even with aperture I mean just thinking out loud here I think you know one of the ways you can show off a lot about it is not so much built to applications But show off the cool things you can do with it like this podcast is one example diving into it There's just so much you could do with an AI gateway, which I think is worth exploring Um that the way you can you can explain things the folks is really just to show it off demo it And maybe that's conferences. Maybe that's in the hallway track Maybe it's via YouTube and Alex's team what they're doing there But I think there's so much you can do with identity on your network I'm just now thinking about that that personally cared deeply about on a daily basis I'm building things that require it and I'm not leveraging any of this tooling I'm doing it the hard way despite being a user and I'm almost angry at you and the proverbial you for not And maybe you do and maybe I was like, I don't just watch my youtube and that means that's the easy button there Alex like there's a lot of content. Yeah, right?
Yeah, there's a lot of things, but you know Uh, yeah, I don't don't put an lm on a public board You know like don't put an lm like i'm a public internet don't do that Right, but you can you can share that with you can go to private network and you can share that with your friends with tail Like there's like so many little things like it's like oh, I just I didn't realize there's sort of an easier better more secure way I'm telling you I need to know the easier better more secure way the tail skill way of the tail net way or the multi tail net way I can't wait to play. Oh my gosh. I planned and I rhymed at the same time It's been so awesome talking you going into the details of this. I'm a big fan as you already know Uh, I'm looking forward to the self-host version of it.
You know as you already know I've said that a couple times already. Yeah, I think that's where the future is at in a lot of cases here I can see what you're spinning up instances to achieve velocity, but I think ultimately sovereignty is the key to my book at least Um, so there you go for that front there anything left in closing What else you want to say aperture at tail skill dot com without a show of course to reach out to you to become a partner A builder who's got some ideas on top of ts net and the things you're building there or maybe after itself What else I invite people to reach out whether it's like for partnerships or ideas a feature request or what I'm I'm here I'm accessible like I don't want people to think that Um, you know just because tail skills a few years in and we're sort of the size right now that like I'm unreachable and that we're You know, we definitely don't have all the best ideas We've got some good ones, but we want to work with a lot of other people on and help them get the right ideas to market like quickly And it a more safe secure and uh, expedient way. So, uh, yeah, please like reach out. I'd love to hear from people Maybe some office hours for you.
Maybe you could do some office hours, which would you entertain that? Yeah, let's come up. That's that's definitely I think once we get through a bit more of this push on aperture I turn into some content because I mean like I would I would pay attention to the behind the scenes of that I think that's like peer to peer is where I think a lot of developer Like that's one of the ways we we really educate folks that uh, listen to our pod and you know We have a lot of sponsors who sponsor stuff But one of the directions we take is is not just thrown at out there But something that's like it goes behind the scenes It's it's informative and it's peer led. Yeah, and you can kind of see okay Well, this one team over here has got this idea for how they can leverage aperture or an API net or sorry an AI gateway Um, and now I can see what they're using it for and I've got some ideas as well kind of thing Yes, I think office hours could be kind of fun and to speak to the top like you are and your team members That'd be kind of cool to like bring some questions Dig into how that works out throw some ideas out there Let it be a little loose, but also a little structured and uh, yeah, that'd be cool.
I gotta see that happen Yeah, it'd be a lot of fun. I'm uh, I just I love helping people get the ideas to market and removing some of the pain Like it's just such a fantastic experience and uh, I just want to see and help it more that Yeah, very very happy to talk to people about their ideas and You know collaborations and partnerships and stuff like that. All right. Well, David, thank you so much Appreciate you awesome meeting you awesome conversation.
Yeah, thank you. We'll see you again soon Well, that's it. The show's done. Thank you for tuning in that big.
Thank you for being a listener of this podcast If you haven't yet become a member. It is free Yeah, you can go to changelog.com slash community free to join hang with us in Zulip chats everyone's there Everyone's welcome and you are welcome and I want to see you there And if you love this show just a little bit more than you love ever the show out there You want to go deeper get bonus content get closer to the medal drop the ads support the show We have a membership that is not free. It's called change blog plus plus learn more at changelog.com slash plus It's better. It is better.
You know why it's better because you get bonus content to get the little extras Get close to that medal and like I said, you support the show big Thank you to a sponsor for the show today big thank you to BMC for being our beats freak in residence The breakmaster cylinder. My gosh, let's rock some beats and thank you to you for tuning in to the show That's it. We'll see you again soon