How To: Investigate a Blocked Request
Use this workflow when a user, operator, or stakeholder asks why Keeptrusts blocked a request.
Outcome
By the end of this workflow, you should know:
- Which request ID and Event recorded the block.
- Which policy or routing rule became decisive.
- Whether the block matches policy intent.
- Whether the next action is documentation, policy tuning, escalation, or rollback.
Workflow diagram
Step 1: Start with the report, not assumptions
Capture as much of the report as you can before opening the console:
- Approximate timestamp.
- Environment.
- The gateway response's
X-Request-Idvalue, if available. - Whether this behavior started after a rollout.
Every governed gateway response carries the correlation request ID. Preserve it
in client logs and incident reports. Decision Events store correlation IDs as
32 lowercase hexadecimal characters: a UUID is stored without hyphens, while
other caller-supplied text is deterministically normalized. For exact
correlation without conversion, have the client send a 32-character
lowercase-hex X-Request-Id. If the reporter cannot provide an ID, use the
smallest available time window plus the gateway, agent, model, and environment
to locate the Event.
Step 2: Find the Event
Use an authenticated CLI profile that resolves to the affected region. The
caller needs events:read permission.
Query recent blocked Events and request JSON so the request IDs and full event fields remain visible:
kt events tail --since 30m --event-type decision --verdict blocked --json
Find the exact Event request_id when you have it. If the response ID is a
UUID, compare it after removing the hyphens. If the caller sent an arbitrary
text ID or no ID was retained, narrow the time window and use the Event's
gateway, agent, model, environment, and timestamp to match the report.
If no matching Event arrives, first verify the gateway's control-plane connectivity, the selected region, and the request family's evidence support. Do not treat an empty History view as proof that the request did not occur.
Step 3: Inspect the decisive evidence
In the matching Event, focus on:
request_id, finalverdict, andreason_code.- Policy results and any redaction marker in the delivered details.
- Provider and model information.
- Timestamps and latency context.
config_version, environment, gateway, and agent attribution.
This tells you whether the result came from a single strong control or a broader rule interaction.
Step 4: Add captured History context only when available
History is not the universal source for blocked requests. Use it only when the gateway's history capture is enabled, blocked-request capture is included, and the relevant session remains available under the platform's retention policy. The capture mode determines whether History contains full, redacted, or metadata-only context.
If any of those conditions is false, continue the investigation with the
request ID and Event. A missing History session is not evidence that the Event
or block is invalid. See
Runtime Configuration for the exact
history.capture behavior.
Step 5: Correlate with rollout or audit context if needed
If you need to understand whether the behavior changed recently:
- Compare with the version history in Configurations.
- Open Trail if you need audit chronology or exportable evidence.
- Open Inbox if the same workflow also created a human-review item.
Step 6: Decide the operational outcome
Use this decision model:
- Expected block: capture the request identifier and explain which policy produced the intended behavior.
- Unexpected but low-risk block: propose a narrow policy adjustment and capture evidence first.
- Unexpected and high-impact block: engage the rollback owner and verify the running gateway behavior through Gateways and the deployment workflow.
- Ambiguous case: move into a human-review workflow with a clear owner.
Evidence checklist
Before closing the investigation, preserve:
- Response request ID, normalized Event request ID, and Event ID.
- Time window.
- Configuration version.
- Final interpretation.
- Links or export references when the issue needs handoff.