SSO is not the only method of authenticating things. They have auth keys specifically for the purpose of authing headless servers. e.g.
sudo tailscale up --authkey tskey-abcdef1432341818
You can also apply an ACL tag to it so that it is no longer authorized as the user and instead takes on the permissions of the tag.
In our deployments we have the headless servers pull the tagged auth key from secrets manager on boot and then just `tailscale up --authkey <value>`.
I agree the default login flow is usually not what you want for headless servers. It sort of leads you down the wrong path.
You can also apply an ACL tag to it so that it is no longer authorized as the user and instead takes on the permissions of the tag.
In our deployments we have the headless servers pull the tagged auth key from secrets manager on boot and then just `tailscale up --authkey <value>`.
I agree the default login flow is usually not what you want for headless servers. It sort of leads you down the wrong path.