diff --git a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
index 87538772..af4e68a8 100644
--- a/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
+++ b/cameleer3-server-app/src/main/java/com/cameleer3/server/app/security/OidcTokenExchanger.java
@@ -117,6 +117,10 @@ public class OidcTokenExchanger {
         // Try roles from access_token first (JWT providers like Logto, Keycloak),
         // then fall back to id_token
         List<String> roles = Collections.emptyList();
+        log.info("OIDC access_token: isJwt={}, length={}, prefix='{}'",
+                accessTokenStr != null && accessTokenStr.contains("."),
+                accessTokenStr != null ? accessTokenStr.length() : 0,
+                accessTokenStr != null ? accessTokenStr.substring(0, Math.min(30, accessTokenStr.length())) : "null");
         if (accessTokenStr != null && accessTokenStr.contains(".")) {
             try {
                 String audience = config.audience() != null ? config.audience() : "";