Yeah, a thing that I wish Tailscale could do is hand off an attestation of some sort that says a TCP connection is being used by user X who is authorized by rule Y. Maybe "magic TLS client certs" is a thing coming on the horizon.
>>zrail+(OP)
You can query the Tailscale API socket locally from your application to see who someone is (email address) based on the connecting IP. It would be nice if the API let you tap into their ACL system as well