diff --git a/tsconsensus/authorization.go b/tsconsensus/authorization.go
index 9963811a7..43a25b120 100644
--- a/tsconsensus/authorization.go
+++ b/tsconsensus/authorization.go
@@ -70,7 +70,7 @@ func newAuthorization(ts *tsnet.Server, tag string) *authorization {
 	}
 }
 
-func (a *authorization) refresh(ctx context.Context) error {
+func (a *authorization) Refresh(ctx context.Context) error {
 	tStatus, err := a.sg.getStatus(ctx)
 	if err != nil {
 		return err
@@ -87,7 +87,7 @@ func (a *authorization) refresh(ctx context.Context) error {
 	return nil
 }
 
-func (a *authorization) allowsHost(addr netip.Addr) bool {
+func (a *authorization) AllowsHost(addr netip.Addr) bool {
 	if a.peers == nil {
 		return false
 	}
@@ -96,7 +96,7 @@ func (a *authorization) allowsHost(addr netip.Addr) bool {
 	return a.peers.peerExists(addr, a.tag)
 }
 
-func (a *authorization) selfAllowed() bool {
+func (a *authorization) SelfAllowed() bool {
 	if a.peers == nil {
 		return false
 	}
@@ -105,7 +105,7 @@ func (a *authorization) selfAllowed() bool {
 	return a.peers.status.Self.Tags != nil && slices.Contains(a.peers.status.Self.Tags.AsSlice(), a.tag)
 }
 
-func (a *authorization) allowedPeers() views.Slice[*ipnstate.PeerStatus] {
+func (a *authorization) AllowedPeers() views.Slice[*ipnstate.PeerStatus] {
 	if a.peers == nil {
 		return views.SliceOf([]*ipnstate.PeerStatus{})
 	}
diff --git a/tsconsensus/authorization_test.go b/tsconsensus/authorization_test.go
index dce6aaf65..65bdd9fac 100644
--- a/tsconsensus/authorization_test.go
+++ b/tsconsensus/authorization_test.go
@@ -65,7 +65,7 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
 	ctx := context.Background()
 
 	a := authForStatus(nil)
-	err := a.refresh(ctx)
+	err := a.Refresh(ctx)
 	if err == nil {
 		t.Fatalf("expected err to be non-nil")
 	}
@@ -77,7 +77,7 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
 	a = authForStatus(&ipnstate.Status{
 		BackendState: "NeedsMachineAuth",
 	})
-	err = a.refresh(ctx)
+	err = a.Refresh(ctx)
 	if err == nil {
 		t.Fatalf("expected err to be non-nil")
 	}
@@ -89,14 +89,14 @@ func TestAuthRefreshErrorsNotRunning(t *testing.T) {
 
 func TestAuthUnrefreshed(t *testing.T) {
 	a := authForStatus(nil)
-	if a.allowsHost(netip.MustParseAddr("100.0.0.1")) {
+	if a.AllowsHost(netip.MustParseAddr("100.0.0.1")) {
 		t.Fatalf("never refreshed authorization, allowsHost: expected false, got true")
 	}
-	gotAllowedPeers := a.allowedPeers()
+	gotAllowedPeers := a.AllowedPeers()
 	if gotAllowedPeers.Len() != 0 {
 		t.Fatalf("never refreshed authorization, allowedPeers: expected [], got %v", gotAllowedPeers)
 	}
-	if a.selfAllowed() != false {
+	if a.SelfAllowed() != false {
 		t.Fatalf("never refreshed authorization, selfAllowed: expected false got true")
 	}
 }
@@ -116,14 +116,14 @@ func TestAuthAllowsHost(t *testing.T) {
 		true,
 	}
 	a := authForTags(nil, peerTags)
-	err := a.refresh(ctx)
+	err := a.Refresh(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
 
 	for i, tags := range peerTags {
 		for _, addr := range addrsForIndex(i) {
-			got := a.allowsHost(addr)
+			got := a.AllowsHost(addr)
 			if got != expected[i] {
 				t.Fatalf("allowed %v, expected: %t, got %t", tags, expected[i], got)
 			}
@@ -139,11 +139,11 @@ func TestAuthAllowedPeers(t *testing.T) {
 		[]string{"woo", testTag},
 		[]string{testTag},
 	})
-	err := a.refresh(ctx)
+	err := a.Refresh(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
-	ps := a.allowedPeers()
+	ps := a.AllowedPeers()
 	if ps.Len() != 2 {
 		t.Fatalf("expected: 2, got: %d", ps.Len())
 	}
@@ -153,21 +153,21 @@ func TestAuthSelfAllowed(t *testing.T) {
 	ctx := context.Background()
 
 	a := authForTags([]string{"woo"}, nil)
-	err := a.refresh(ctx)
+	err := a.Refresh(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
-	got := a.selfAllowed()
+	got := a.SelfAllowed()
 	if got {
 		t.Fatalf("expected: false, got: %t", got)
 	}
 
 	a = authForTags([]string{"woo", testTag}, nil)
-	err = a.refresh(ctx)
+	err = a.Refresh(ctx)
 	if err != nil {
 		t.Fatal(err)
 	}
-	got = a.selfAllowed()
+	got = a.SelfAllowed()
 	if !got {
 		t.Fatalf("expected: true, got: %t", got)
 	}
diff --git a/tsconsensus/http.go b/tsconsensus/http.go
index 6501285db..709bcb86b 100644
--- a/tsconsensus/http.go
+++ b/tsconsensus/http.go
@@ -91,7 +91,7 @@ type authedHandler struct {
 }
 
 func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
-	err := h.auth.refresh(r.Context())
+	err := h.auth.Refresh(r.Context())
 	if err != nil {
 		log.Printf("error authedHandler ServeHTTP refresh auth: %v", err)
 		http.Error(w, "", http.StatusInternalServerError)
@@ -103,7 +103,7 @@ func (h authedHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
 		http.Error(w, "", http.StatusInternalServerError)
 		return
 	}
-	allowed := h.auth.allowsHost(a)
+	allowed := h.auth.AllowsHost(a)
 	if !allowed {
 		http.Error(w, "peer not allowed", http.StatusForbidden)
 		return
diff --git a/tsconsensus/tsconsensus.go b/tsconsensus/tsconsensus.go
index 38e9755d9..18b8c167c 100644
--- a/tsconsensus/tsconsensus.go
+++ b/tsconsensus/tsconsensus.go
@@ -96,7 +96,7 @@ type StreamLayer struct {
 func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (net.Conn, error) {
 	ctx, cancel := context.WithTimeout(context.Background(), timeout)
 	defer cancel()
-	err := sl.auth.refresh(ctx)
+	err := sl.auth.Refresh(ctx)
 	if err != nil {
 		return nil, err
 	}
@@ -106,7 +106,7 @@ func (sl StreamLayer) Dial(address raft.ServerAddress, timeout time.Duration) (n
 		return nil, err
 	}
 
-	if !sl.auth.allowsHost(addr) {
+	if !sl.auth.AllowsHost(addr) {
 		return nil, errors.New("peer is not allowed")
 	}
 	return sl.s.Dial(ctx, "tcp", string(address))
@@ -122,12 +122,12 @@ func (sl StreamLayer) connAuthorized(conn net.Conn) (bool, error) {
 		return false, nil
 	}
 	ctx := context.Background() // TODO
-	err = sl.auth.refresh(ctx)
+	err = sl.auth.Refresh(ctx)
 	if err != nil {
 		// might be authorized, we couldn't tell
 		return false, err
 	}
-	return sl.auth.allowsHost(addr), nil
+	return sl.auth.AllowsHost(addr), nil
 }
 
 func (sl StreamLayer) Accept() (net.Conn, error) {
@@ -175,11 +175,11 @@ func Start(ctx context.Context, ts *tsnet.Server, fsm raft.FSM, clusterTag strin
 	}
 
 	auth := newAuthorization(ts, clusterTag)
-	err := auth.refresh(ctx)
+	err := auth.Refresh(ctx)
 	if err != nil {
 		return nil, fmt.Errorf("auth refresh: %w", err)
 	}
-	if !auth.selfAllowed() {
+	if !auth.SelfAllowed() {
 		return nil, errors.New("this node is not tagged with the cluster tag")
 	}
 
@@ -198,7 +198,7 @@ func Start(ctx context.Context, ts *tsnet.Server, fsm raft.FSM, clusterTag strin
 	}
 	c.cmdHttpServer = srv
 
-	c.bootstrap(auth.allowedPeers())
+	c.bootstrap(auth.AllowedPeers())
 
 	if serveDebugMonitor {
 		srv, err = serveMonitor(&c, ts, netip.AddrPortFrom(c.self.hostAddr, cfg.MonitorPort).String())