diff --git a/Cargo.lock b/Cargo.lock
index b5c23d820b0..3913ccb3696 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -1006,7 +1006,7 @@ checksum = "1435fa1053d8b2fbbe9be7e97eca7f33d37b28409959813daefc1446a14247f1"
 [[package]]
 name = "dropshot"
 version = "0.6.1-dev"
-source = "git+https://github.com/oxidecomputer/dropshot?branch=main#eadf3bb7169a5744eab633f159093d7f7017b9d6"
+source = "git+https://github.com/oxidecomputer/dropshot?branch=main#6ca8e21a8b9fe1a35e6780afa1f70a5ec6a22513"
 dependencies = [
  "async-stream",
  "async-trait",
@@ -1044,7 +1044,7 @@ dependencies = [
 [[package]]
 name = "dropshot_endpoint"
 version = "0.6.1-dev"
-source = "git+https://github.com/oxidecomputer/dropshot?branch=main#eadf3bb7169a5744eab633f159093d7f7017b9d6"
+source = "git+https://github.com/oxidecomputer/dropshot?branch=main#6ca8e21a8b9fe1a35e6780afa1f70a5ec6a22513"
 dependencies = [
  "proc-macro2",
  "quote",
diff --git a/nexus/src/external_api/http_entrypoints.rs b/nexus/src/external_api/http_entrypoints.rs
index b4b481f8601..6d3f5c406c4 100644
--- a/nexus/src/external_api/http_entrypoints.rs
+++ b/nexus/src/external_api/http_entrypoints.rs
@@ -15,20 +15,23 @@ use super::{
     views::{Organization, Project, Rack, Role, Sled, User, Vpc, VpcSubnet},
 };
 use crate::context::OpContext;
+use dropshot::endpoint;
 use dropshot::ApiDescription;
+use dropshot::EmptyScanParams;
 use dropshot::HttpError;
 use dropshot::HttpResponseAccepted;
 use dropshot::HttpResponseCreated;
 use dropshot::HttpResponseDeleted;
 use dropshot::HttpResponseOk;
 use dropshot::HttpResponseUpdatedNoContent;
+use dropshot::PaginationOrder;
+use dropshot::PaginationParams;
 use dropshot::Path;
 use dropshot::Query;
 use dropshot::RequestContext;
 use dropshot::ResultsPage;
 use dropshot::TypedBody;
 use dropshot::WhichPage;
-use dropshot::{endpoint, EmptyScanParams, PaginationOrder, PaginationParams};
 use omicron_common::api::external::http_pagination::data_page_params_for;
 use omicron_common::api::external::http_pagination::data_page_params_nameid_id;
 use omicron_common::api::external::http_pagination::data_page_params_nameid_name;
@@ -158,7 +161,9 @@ pub fn external_api() -> NexusApiDescription {
         Ok(())
     }
 
-    let mut api = NexusApiDescription::new();
+    let conf = serde_json::from_str(include_str!("./tag-config.json")).unwrap();
+    let mut api = NexusApiDescription::new().tag_config(conf);
+
     if let Err(err) = register_endpoints(&mut api) {
         panic!("failed to register entrypoints: {}", err);
     }
@@ -2281,3 +2286,15 @@ async fn roles_get_role(
     };
     apictx.external_latencies.instrument_dropshot_handler(&rqctx, handler).await
 }
+
+#[cfg(test)]
+mod test {
+    use super::external_api;
+
+    #[test]
+    fn test_nexus_tag_policy() {
+        // This will fail if any of the endpoints don't match the policy in
+        // ./tag-config.json
+        let _ = external_api();
+    }
+}
diff --git a/nexus/src/external_api/tag-config.json b/nexus/src/external_api/tag-config.json
new file mode 100644
index 00000000000..a84bd660e4d
--- /dev/null
+++ b/nexus/src/external_api/tag-config.json
@@ -0,0 +1,108 @@
+{
+  "allow_other_tags": false,
+  "endpoint_tag_policy": "ExactlyOne",
+  "tag_definitions": {
+    "disks": {
+      "description": "Virtual disks are used to store instance-local data which includes the operating system.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "firewall": {
+      "description": "Firewall operation controls the flow of network data into a VPC",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "hidden": {
+      "description": "TODO operations that will not ship to customers",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "instances": {
+      "description": "Virtual machine instances are the basic unit of computation. These operations are used for provisioning, controlling, and destroying instances.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "metrics": {
+      "description": "Metrics provide insight into the operation of the Oxide deployment. These include telemetry on hardware and software components that can be used to understand the current state as well as to diagnose issues.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "organizations": {
+      "description": "Organizations represent a subset of users and projects in an Oxide deployment.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "projects": {
+      "description": "Projects are a grouping of associated resources such as instances and disks within an organization for purposes of billing and access control.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "racks": {
+      "description": "These operations pertain to hardware inventory and management. Racks are the unit of expansion of an Oxide deployment. Racks are in turn composed of sleds, switches, power supplies, and a cabled backplane.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "roles": {
+      "description": "Roles are a component of Identity and Access Management (IAM) that allow a user or agent account access to additional permissions.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "routers": {
+      "description": "Routers direct the flow of network traffic into, out of, and within a VPC via routes.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "routes": {
+      "description": "Routes define router policy.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "sagas": {
+      "description": "Sagas are the abstraction used to represent multi-step operations within the Oxide deployment. These operations can be used to query saga status and report errors.",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "sleds": {
+      "description": "This tag should be moved into hardware",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "subnets": {
+      "description": "This tag should be moved into a generic network tag",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "updates": {
+      "description": "This tag should be moved into a operations tag",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "users": {
+      "description": "This tag should be moved into an IAM tag",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    "vpcs": {
+      "description": "A Virtual Private Cloud (VPC) is an isolated network environment that should probaby be moved into a more generic networking tag",
+      "external_docs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    }
+  }
+}
\ No newline at end of file
diff --git a/openapi/nexus.json b/openapi/nexus.json
index a88e86dd099..2c55293660c 100644
--- a/openapi/nexus.json
+++ b/openapi/nexus.json
@@ -6085,5 +6085,126 @@
         ]
       }
     }
-  }
+  },
+  "tags": [
+    {
+      "name": "disks",
+      "description": "Virtual disks are used to store instance-local data which includes the operating system.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "firewall",
+      "description": "Firewall operation controls the flow of network data into a VPC",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "hidden",
+      "description": "TODO operations that will not ship to customers",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "instances",
+      "description": "Virtual machine instances are the basic unit of computation. These operations are used for provisioning, controlling, and destroying instances.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "metrics",
+      "description": "Metrics provide insight into the operation of the Oxide deployment. These include telemetry on hardware and software components that can be used to understand the current state as well as to diagnose issues.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "organizations",
+      "description": "Organizations represent a subset of users and projects in an Oxide deployment.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "projects",
+      "description": "Projects are a grouping of associated resources such as instances and disks within an organization for purposes of billing and access control.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "racks",
+      "description": "These operations pertain to hardware inventory and management. Racks are the unit of expansion of an Oxide deployment. Racks are in turn composed of sleds, switches, power supplies, and a cabled backplane.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "roles",
+      "description": "Roles are a component of Identity and Access Management (IAM) that allow a user or agent account access to additional permissions.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "routers",
+      "description": "Routers direct the flow of network traffic into, out of, and within a VPC via routes.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "routes",
+      "description": "Routes define router policy.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "sagas",
+      "description": "Sagas are the abstraction used to represent multi-step operations within the Oxide deployment. These operations can be used to query saga status and report errors.",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "sleds",
+      "description": "This tag should be moved into hardware",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "subnets",
+      "description": "This tag should be moved into a generic network tag",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "updates",
+      "description": "This tag should be moved into a operations tag",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "users",
+      "description": "This tag should be moved into an IAM tag",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    },
+    {
+      "name": "vpcs",
+      "description": "A Virtual Private Cloud (VPC) is an isolated network environment that should probaby be moved into a more generic networking tag",
+      "externalDocs": {
+        "url": "http://oxide.computer/docs/#xxx"
+      }
+    }
+  ]
 }
\ No newline at end of file