Common Support Scenarios
Quick reference for the scenarios you’ll face most often. Each scenario has the symptom, cause, and fix.
Client says “my agent is being blocked”
Section titled “Client says “my agent is being blocked””Symptom: Agent gets HTTP 403 / PolicyBlockError on requests that should be allowed.
Diagnose:
- Check the error response. It includes
blocked_by(which step) andreason:{"error": {"step": "detect_pii", "reason": "PII detected in request"}} - Check the audit trail for the agent:
Terminal window curl -H "Authorization: Bearer tp_admin_..." \http://localhost:9620/v1/audit?agent=<agent-name>&limit=10 - Check if
mode=observeworks (logs but doesn’t block):agent = Agent(url, key, flags={"mode": "observe"})
Common causes:
| Blocked by | Likely cause | Fix |
|---|---|---|
detect_pii | Agent prompt contains names, emails, phone numbers | Use pii=mask flag, or tune PII patterns in pipeline config |
detect_injection | Prompt looks like injection (common with system prompts) | Add prompt hash to allowlist, or lower injection sensitivity |
check_exfiltration | Agent tries to send data to external URL | Add URL to allowed domains in pipeline config |
check_budget | Agent exceeded budget cap | Increase budget flag: budget=standard or budget=unlimited |
check_tools | Agent called a tool not in its allowed list | Update agent’s tool allowlist via admin API |
Escalation: If the block is a false positive, see Pipeline Tuning.
Client wants to add a new LLM provider
Section titled “Client wants to add a new LLM provider”Steps:
- Get the provider API key from the client
- Store it in the TapPass vault:
Terminal window tappass vault set ANTHROPIC_API_KEY=sk-ant-... - The provider is immediately available. Agents use it by specifying the model:
response = agent.chat("Hello", model="claude-3-5-sonnet-20241022")
No restart needed. Provider keys are hot-reloaded from the vault.
Supported providers: OpenAI, Anthropic, Azure OpenAI, Google Gemini, AWS Bedrock, Ollama, vLLM, LM Studio.
Client wants to see audit logs
Section titled “Client wants to see audit logs”Option 1: Dashboard (recommended for CISOs)
Direct them to app.tappass.ai (or their self-hosted dashboard URL). Login via SSO.
Option 2: API
# Last 50 events for a specific agentcurl -H "Authorization: Bearer tp_admin_..." \ "http://localhost:9620/v1/audit?agent=my-agent&limit=50"
# Events in a time rangecurl -H "Authorization: Bearer tp_admin_..." \ "http://localhost:9620/v1/audit?after=2026-03-01T00:00:00Z&before=2026-03-14T00:00:00Z"
# Only blocked eventscurl -H "Authorization: Bearer tp_admin_..." \ "http://localhost:9620/v1/audit?blocked=true"Option 3: SIEM export
Configure webhook in the dashboard or via env var:
TAPPASS_SIEM_WEBHOOK_URL=https://your-siem.example.com/webhookClient wants to register a new agent
Section titled “Client wants to register a new agent”Via CLI (if they have server access):
tappass agents add finance-bot --preset=regulated --flags="pii=mask,email=block"Via Admin API (recommended):
curl -X POST http://localhost:9620/v1/agents \ -H "Authorization: Bearer tp_admin_..." \ -H "Content-Type: application/json" \ -d '{ "name": "finance-bot", "preset": "regulated", "flags": {"pii": "mask", "email": "block"} }'Response includes the agent’s API key. Send it to the developer securely (not over email).
Client reports slow responses
Section titled “Client reports slow responses”Diagnose:
- Check health endpoint:
Terminal window curl http://localhost:9620/health/detailed \-H "Authorization: Bearer tp_admin_..." - Look for slow pipeline steps in audit trail (each step has a
duration_msfield) - Common bottlenecks:
- LLM judge step: uses an LLM call for classification. Disable or switch to a faster model
- PII detection: Presidio model loading on first call (cold start). Subsequent calls are fast
- OPA: Check if OPA sidecar is healthy:
curl http://localhost:8181/health
Fixes:
| Bottleneck | Fix |
|---|---|
| LLM judge slow | Use TAPPASS_LLM_JUDGE_MODEL=gpt-4o-mini (faster, cheaper) |
| PII cold start | Pre-warm on server start (already done in production) |
| OPA timeout | Check OPA sidecar health and restart if needed |
| High latency on all requests | Check if Redis is connected (TAPPASS_KV_URL). Without it, each worker loads state independently |
Server health check fails
Section titled “Server health check fails”Symptom: /health/ready returns 503.
Check each dependency:
# PostgreSQLdocker compose exec postgres pg_isready# Redisdocker compose exec redis redis-cli ping# OPAcurl http://localhost:8181/health# SPIREdocker compose exec spire-agent /opt/spire/bin/spire-agent healthcheckCommon causes:
| Dependency | Symptom | Fix |
|---|---|---|
| PostgreSQL down | ”database connection failed” | docker compose restart postgres |
| Redis unreachable | Degraded mode (works but slow) | docker compose restart redis |
| OPA unreachable | All requests denied (fail-closed) | docker compose restart opa |
| SPIRE agent down | mTLS auth fails | docker compose restart spire-agent |
Client wants to change pipeline configuration
Section titled “Client wants to change pipeline configuration”Option 1: Switch preset
curl -X PATCH http://localhost:9620/v1/agents/finance-bot \ -H "Authorization: Bearer tp_admin_..." \ -H "Content-Type: application/json" \ -d '{"preset": "regulated"}'Option 2: Custom overrides
curl -X PATCH http://localhost:9620/v1/agents/finance-bot/pipeline \ -H "Authorization: Bearer tp_admin_..." \ -H "Content-Type: application/json" \ -d '{ "preset": "standard", "overrides": { "categories": { "pii_protection": {"enabled": true, "sensitivity": "high"}, "cost_control": {"budget_usd": 10.0} } } }'See Industry Configurations for per-vertical presets and Pipeline Tuning for advanced config.
Dashboard login not working
Section titled “Dashboard login not working”Symptom: User can’t log in to app.tappass.ai.
Check:
- Is SSO configured?
TAPPASS_SSO_PROVIDERmust be set - Is their email domain in the allowed list? Check
TAPPASS_SSO_ALLOWED_DOMAINS - Is the OAuth redirect URI correct? Must match exactly in Google/Azure/Okta config
- Check SSO logs:
docker compose logs tappass | grep SSO
Quick fix for testing: Generate a temporary auth token via CLI:
tappass auth token --email user@company.com --ttl 1hNeed to rotate an agent’s API key
Section titled “Need to rotate an agent’s API key”curl -X POST http://localhost:9620/v1/agents/finance-bot/rotate-key \ -H "Authorization: Bearer tp_admin_..."The old key is immediately invalidated. Send the new key to the developer securely.
Emergency: suspected data breach via agent
Section titled “Emergency: suspected data breach via agent”- Immediately block the agent:
Terminal window curl -X PATCH http://localhost:9620/v1/agents/compromised-bot \-H "Authorization: Bearer tp_admin_..." \-d '{"enabled": false}' - Pull full audit trail:
Terminal window curl "http://localhost:9620/v1/audit?agent=compromised-bot&limit=1000" \-H "Authorization: Bearer tp_admin_..." > audit-export.json - Check for data exfiltration: Look for
classification: RESTRICTEDorCONFIDENTIALevents - Follow the Incident Response Playbook