diff --git a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
index 8d2ce84..6553e83 100644
--- a/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
+++ b/src/main/kotlin/com/android/trisolarisserver/security/FirebaseAuthFilter.kt
@@ -30,9 +30,17 @@ class FirebaseAuthFilter(
         response: HttpServletResponse,
         filterChain: FilterChain
     ) {
+        val debug = request.getHeader("X-Debug-Auth") == "1"
+        fun setDebug(value: String) {
+            if (debug) {
+                response.setHeader("X-Auth-Debug", value)
+                logger.info("Auth debug: {} {} -> {}", request.method, request.requestURI, value)
+            }
+        }
         val header = request.getHeader(HttpHeaders.AUTHORIZATION)
         if (header.isNullOrBlank() || !header.startsWith("Bearer ")) {
             logger.debug("Auth missing/invalid header for {}", request.requestURI)
+            setDebug(if (header.isNullOrBlank()) "missing_authorization" else "invalid_authorization")
             response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Missing Authorization token")
             return
         }
@@ -41,7 +49,10 @@ class FirebaseAuthFilter(
             val decoded = FirebaseAuth.getInstance().verifyIdToken(token)
             val firebaseUid = decoded.uid
             val user = appUserRepo.findByFirebaseUid(firebaseUid)
-                ?: throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "User not found")
+                ?: run {
+                    setDebug("user_not_found")
+                    throw ResponseStatusException(HttpStatus.UNAUTHORIZED, "User not found")
+                }
             logger.debug("Auth verified uid={}, userId={}", firebaseUid, user.id)
 
             val principal = MyPrincipal(
@@ -50,9 +61,11 @@ class FirebaseAuthFilter(
             )
             val auth = UsernamePasswordAuthenticationToken(principal, token, emptyList())
             SecurityContextHolder.getContext().authentication = auth
+            setDebug("ok:userId=${principal.userId},superAdmin=${user.superAdmin}")
             filterChain.doFilter(request, response)
         } catch (ex: Exception) {
             logger.debug("Auth failed for {}: {}", request.requestURI, ex.message)
+            setDebug("verify_failed")
             response.sendError(HttpServletResponse.SC_UNAUTHORIZED, "Invalid token")
         }
     }