[tailscaletom]

(Tailscalar and a tailnet lock author here)

If you're okay with trusting Tailscale's control plane, we have a feature for exactly this use case! Its called Device Authorization: https://tailscale.com/kb/1099/device-authorization/

You could also use tailnet lock in this fashion, by issuing a `tailscale lock sign` command for the new node once you've verified the provenance of the new device. Because it involves signatures with keys on your device it could never be as simple as a REST API, but maybe we could offer a more easy to automate command or better client library support (suggestions welcome!)