diff --git a/grpcv1.go b/grpcv1.go
index cf3573e5..aa2fe2ae 100644
--- a/grpcv1.go
+++ b/grpcv1.go
@@ -280,7 +280,11 @@ func (api headscaleV1APIServer) ListMachines(
 
 	response := make([]*v1.Machine, len(machines))
 	for index, machine := range machines {
-		response[index] = machine.toProto()
+		m := machine.toProto()
+		validTags, invalidTags := getTags(*api.h.aclPolicy, machine, api.h.cfg.OIDC.StripEmaildomain)
+		m.InvalidTags = invalidTags
+		m.ValidTags = validTags
+		response[index] = m
 	}
 
 	return &v1.ListMachinesResponse{Machines: response}, nil
diff --git a/machine.go b/machine.go
index 43325c95..f24b0392 100644
--- a/machine.go
+++ b/machine.go
@@ -2,6 +2,7 @@ package headscale
 
 import (
 	"database/sql/driver"
+	"errors"
 	"fmt"
 	"sort"
 	"strconv"
@@ -660,6 +661,37 @@ func (machine *Machine) toProto() *v1.Machine {
 	return machineProto
 }
 
+// getTags will return the tags of the current machine
+func getTags(aclPolicy ACLPolicy, machine Machine, stripEmailDomain bool) (validTags []string, invalidTags []string) {
+	validTagMap := make(map[string]bool)
+	invalidTagMap := make(map[string]bool)
+	for _, tag := range machine.HostInfo.RequestTags {
+		owners, err := expandTagOwners(aclPolicy, tag, stripEmailDomain)
+		if errors.Is(err, errInvalidTag) {
+			invalidTags = append(invalidTags, tag)
+		}
+		var found bool
+		for _, owner := range owners {
+			if machine.Namespace.Name == owner {
+				found = true
+			}
+		}
+		if found {
+			validTagMap[tag] = true
+		} else {
+			invalidTagMap[tag] = true
+		}
+	}
+	for tag := range invalidTagMap {
+		invalidTags = append(invalidTags, tag)
+	}
+	for tag := range validTagMap {
+		validTags = append(validTags, tag)
+	}
+
+	return
+}
+
 func (h *Headscale) RegisterMachineFromAuthCallback(
 	machineKeyStr string,
 	namespaceName string,