Overview
To diagnose most issues, run:Interception
Traces are not appearing in the dashboard
Traces are not appearing in the dashboard
Confirm in this order:
- Velatir is running.
velatir statusshould show capture active. - Ingest key configured.
velatir get-configshould show a masked ingest key. If empty, set it:velatir set-api-key --key vltr_.... - The application is supported. Velatir captures only supported applications. See Overview.
- Certificate trust. Some runtimes use their own trust store. See Certificate not trusted by a specific runtime.
- Network reachability. The device must reach
api.velatir.com:curl -I https://api.velatir.com.
velatir logs --host -f while reproducing and share the output with support.Some applications are captured, others are not
Some applications are captured, others are not
This is expected. Velatir only captures supported AI applications; everything else is passed through untouched.To request coverage for an application, contact your account team with the application name, vendor, operating system, and the AI provider it talks to (for example, “Editor X on Windows talks to api.anthropic.com”).
Capture will not start
Capture will not start
Windows: usually the install did not complete correctly. Reinstall the MSI with administrator elevation. If it persists, run
velatir logs -f while attempting velatir start and capture the error.macOS: usually the system extension has not been approved. Open System Settings → General → Login Items & Extensions → Network Extensions and confirm Velatir is enabled. See Permissions.Certificates
Certificate not trusted by a specific runtime
Certificate not trusted by a specific runtime
Browsers and most native apps use the operating system trust store and pick up the Velatir CA automatically. A few runtimes use their own trust store and need explicit configuration.Node.jsOn macOS the installer sets this automatically. Restart any Node.js process that was running before the install.Python (JVMImport the Velatir CA into the JVM truststore:curl
requests, urllib)curl follows the OS trust store on macOS and Windows. On Linux, point it explicitly:Certificate pinned by the application
Certificate pinned by the application
Some applications only trust one specific certificate and reject any other. There is no workaround; Velatir detects these connections and passes them through unmodified.If a pinned application is critical to your compliance workflow, contact your account team about coverage options.
Agent and Host
`velatir status` reports the agent is unreachable
`velatir status` reports the agent is unreachable
This means the Velatir process is not running.Windows: it runs as the VelatirAgent service. Start it with
sc start VelatirAgent from an elevated prompt, or restart the device. If the service is missing, reinstall the MSI.macOS: relaunch Velatir from Applications, or run open /Applications/Velatir.app.If it keeps disappearing, run velatir logs -f (it reconnects once the client comes up) and share the output with support.Velatir keeps restarting
Velatir keeps restarting
Velatir restarts itself within 30 seconds if it stops unexpectedly. Frequent restarts usually mean a problem. Inspect the log:Common causes: an invalid ingest key, a bad bring-your-own CA password, or (rarely) a failed update. Reset to a known-good state by reapplying the ingest key:
A second launch does nothing
A second launch does nothing
Velatir only runs one copy at a time, so an accidental second launch exits silently. This is expected. To restart it:
Updates
`velatir update` reports no new version, but I expected one
`velatir update` reports no new version, but I expected one
Velatir checks for updates periodically. To force a check now:If the version is still older than expected, or you use a tenant-specific update channel, contact support.
An update applied but the version did not change
An update applied but the version did not change
A failed update stays on the previous version. Inspect the log:A common cause is insufficient disk space. Free up space and retry with
velatir update --apply.Networking
VPN connected after Velatir started, and now things are odd
VPN connected after Velatir started, and now things are odd
Velatir re-binds on its own when the network changes, so this usually resolves within seconds. If it does not:See VPN compatibility.
QUIC / HTTP/3 connectivity unusual
QUIC / HTTP/3 connectivity unusual
On Windows, Velatir keeps known AI hosts on a connection it can observe; other traffic (including HTTP/3 to non-AI sites) is untouched, so this rarely causes visible issues. On macOS, QUIC is not captured at all.
Getting Help
When you contact support, attach:Next Steps
FAQ
Quick answers to common questions.
CLI reference
Full command surface for diagnosing and recovering.
Permissions
What the app needs from the operating system, and why.
VPN compatibility
Detail on coexistence with corporate VPNs.