diff --git a/src/core/auth/auth-options.ts b/src/core/auth/auth-options.ts
index 6d3760b..7d7c7f5 100644
--- a/src/core/auth/auth-options.ts
+++ b/src/core/auth/auth-options.ts
@@ -142,6 +142,14 @@ export const authOptions: NextAuthOptions = {
       const exp = typeof token.accessTokenExpires === "number"
         ? token.accessTokenExpires
         : 0;
+      const secLeft = Math.round((exp - Date.now()) / 1000);
+      console.log(
+        "[auth] jwt secLeft=%d hasAccess=%s hasRefresh=%s err=%s",
+        secLeft,
+        !!token.accessToken,
+        !!token.refreshToken,
+        token.error ?? "none",
+      );
       if (
         token.accessToken &&
         token.refreshToken &&
@@ -161,6 +169,15 @@ export const authOptions: NextAuthOptions = {
       (session as any).accessToken = token.accessToken;
       // Surface refresh failure so the client can force a re-login UX.
       if (token.error) (session as any).error = token.error;
+      // Temporary diagnostic — confirm token state in session.
+      (session as any).debug = {
+        hasRefreshToken: !!token.refreshToken,
+        accessTokenExpiresIn:
+          typeof token.accessTokenExpires === "number"
+            ? Math.round((token.accessTokenExpires - Date.now()) / 1000)
+            : null,
+        tokenError: token.error ?? null,
+      };
       // Faza C cutover flag — exposed on session so client components can
       // branch the same way server routes do (env-driven, evaluated per
       // request so flag flip + container restart picks up without rebuild).