diff --git a/core/Auth/JwtService.php b/core/Auth/JwtService.php
index 1494c0a..2702db5 100644
--- a/core/Auth/JwtService.php
+++ b/core/Auth/JwtService.php
@@ -262,9 +262,13 @@ class JwtService
             $expectedHmac  = hash_hmac('sha256', $payloadToSign, $userSecret);
 
             if (!hash_equals($expectedHmac, $hmacHeader)) {
-                $debugMsg = "User: $userId | Expected: $expectedHmac | Got: $hmacHeader | DerivedSecret: $userSecret | PayloadToSign: " . strlen($payloadToSign) . " bytes | Body: '$body' | TS: '$timestamp' | Nonce: '$nonce'";
+                $debugMsg = "User: $userId | Expected: $expectedHmac | Got: $hmacHeader | DerivedSecret: $userSecret | MasterSecret(4): " . substr($this->hmacSecret, 0, 4) . " | Body($bodyLen): '$body' | TS: '$timestamp' | Nonce: '$nonce'";
+                $bodyLen = strlen($body);
                 error_log("[SECURITY] HMAC mismatch | " . $debugMsg);
-                self::abort(403, 'Invalid HMAC signature');
+                // TEMPORARY: expose debug in response for diagnosis
+                http_response_code(403);
+                echo json_encode(['error' => 'HMAC_DEBUG', 'debug' => $debugMsg]);
+                exit;
             }
         }