diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 93d71430..34d2512c 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -122,10 +122,13 @@ public class OidcTokenExchanger {
                 String audience = config.audience() != null ? config.audience() : "";
                 JWTClaimsSet atClaims = decodeAccessToken(accessTokenStr, config.issuerUri(), audience);
                 if (atClaims != null) {
+                    log.info("OIDC access_token claims: {}", atClaims.getClaims().keySet());
                     roles = extractRoles(atClaims, config.rolesClaim());
                     if (!roles.isEmpty()) {
                         log.info("OIDC roles from access_token: {}", roles);
                     }
+                } else {
+                    log.info("OIDC access_token audience mismatch (expected='{}')", audience);
                 }
             } catch (Exception e) {
                 log.debug("Could not decode access_token as JWT: {}", e.getMessage());