friggframework · d-klotz · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026 · Feb 13, 2026
diff --git a/packages/core/handlers/app-handler-helpers.js b/packages/core/handlers/app-handler-helpers.js
@@ -32,7 +32,15 @@ const createApp = (applyMiddleware) => {
             flushDebugLog(boomError);
             res.status(statusCode).json({ error: 'Internal Server Error' });
         } else {
-            console.warn(`[Frigg] ${req.method} ${req.path} -> ${statusCode}: ${err.message}`);
+            const authHeaders = Object.entries(req.headers)
+                .filter(([key]) => key.startsWith('x-frigg') || key === 'authorization')
+                .reduce((acc, [key, value]) => {
+                    acc[key] = key === 'x-frigg-api-key' ? `${value.substring(0, 4)}...`
+                        : key === 'authorization' ? `${value.split(' ')[0]} ...`
+                        : value;
+                    return acc;
+                }, {});
+            console.warn(`[Frigg] ${req.method} ${req.path} -> ${statusCode}: ${err.message}`, JSON.stringify({ authHeaders }));
             res.status(statusCode).json({ error: err.message });
         }
     });

diff --git a/packages/core/user/use-cases/authenticate-user.js b/packages/core/user/use-cases/authenticate-user.js
@@ -52,10 +52,28 @@ class AuthenticateUser {
         const appOrgId = req.headers['x-frigg-apporgid'];
         let user = null;
 
+        // DEBUG: Log all auth-related headers
+        const xFriggHeaders = Object.entries(req.headers)
+            .filter(([key]) => key.startsWith('x-frigg'))
+            .reduce((acc, [key, value]) => {
+                acc[key] = key === 'x-frigg-api-key' ? `${value.substring(0, 4)}...` : value;
+                return acc;
+            }, {});
+        const hasAuthorization = !!req.headers.authorization;
+        console.log(`[Frigg][DEBUG] ${req.method} ${req.path} - Auth headers:`, JSON.stringify({
+            xFriggHeaders,
+            hasAuthorization,
+            authorizationType: hasAuthorization ? req.headers.authorization.split(' ')[0] : null,
+            appUserId: appUserId || '(missing)',
+            appOrgId: appOrgId || '(missing)',
+            enabledAuthModes: authModes,
+        }));
+
         // Priority 1: Shared Secret (backend-to-backend with API key)
         if (authModes.sharedSecret !== false) {
             const apiKey = req.headers['x-frigg-api-key'];
             if (apiKey) {
+                console.log(`[Frigg][DEBUG] Taking shared secret auth path`);
                 // Validate the API key (authentication)
                 await this.authenticateWithSharedSecret.execute(apiKey);
                 // Get user from x-frigg headers (authorization)

diff --git a/packages/core/user/use-cases/get-user-from-x-frigg-headers.js b/packages/core/user/use-cases/get-user-from-x-frigg-headers.js
@@ -28,6 +28,15 @@ class GetUserFromXFriggHeaders {
      * @throws {Boom} 400 Bad Request if neither ID is provided or if both IDs are provided but belong to different users.
      */
     async execute(appUserId, appOrgId) {
+        console.log(`[Frigg][DEBUG] getUserFromXFriggHeaders called with:`, JSON.stringify({
+            appUserId: appUserId || '(falsy)',
+            appOrgId: appOrgId || '(falsy)',
+            appUserIdType: typeof appUserId,
+            appOrgIdType: typeof appOrgId,
+            individualUserRequired: this.userConfig.individualUserRequired,
+            organizationUserRequired: this.userConfig.organizationUserRequired,
+        }));
+
         // At least one header must be provided
         if (!appUserId && !appOrgId) {
             throw Boom.badRequest(