diff --git a/src/encryptid/server.ts b/src/encryptid/server.ts
index 4d709e7..f16ec78 100644
--- a/src/encryptid/server.ts
+++ b/src/encryptid/server.ts
@@ -5361,12 +5361,15 @@ app.post('/oidc/token', async (c) => {
   // Consume auth code (atomic — marks used)
   const authCode = await consumeOidcAuthCode(code);
   if (!authCode) {
+    console.log('OIDC token: auth code not found or already used');
     return c.json({ error: 'invalid_grant' }, 400);
   }
   if (authCode.clientId !== clientId) {
+    console.log(`OIDC token: clientId mismatch: code=${authCode.clientId} req=${clientId}`);
     return c.json({ error: 'invalid_grant' }, 400);
   }
   if (authCode.redirectUri !== redirectUri) {
+    console.log(`OIDC token: redirectUri mismatch: code=${authCode.redirectUri} req=${redirectUri}`);
     return c.json({ error: 'invalid_grant' }, 400);
   }