diff --git a/public/index.html b/public/index.html
index 0ebf0d8..6bcb184 100644
--- a/public/index.html
+++ b/public/index.html
@@ -368,32 +368,35 @@ async function checkAuth() {
       initApp();
       return true;
     }
-    if (res.error) {
+    if (res.login_url) {
+      showLogin(res.error, res.login_url);
+    } else if (res.error) {
       showLogin(res.error);
-      return false;
-    }
-  } catch (e) {
-    try {
-      const err = JSON.parse(e.message);
-      showLogin(err.error);
-    } catch {
+    } else {
       showLogin();
     }
+    return false;
+  } catch (e) {
+    if (e.login_url) {
+      showLogin('Session expired. Please log in again.', e.login_url);
+    } else {
+      showLogin('Cannot connect to server: ' + e.message);
+    }
   }
-  showLogin();
   return false;
 }
 
-function showLogin(errorMsg) {
+function showLogin(errorMsg, loginUrl) {
   document.getElementById('appLogin').style.display = '';
   document.getElementById('appMain').style.display = 'none';
-  const loginUrl = window.location.origin + '/oauth.php?redirect=' + encodeURIComponent(window.location.href);
-  document.getElementById('loginBtn').href = 'https://auth.jakach.ch/?send_to=' + encodeURIComponent(loginUrl);
+  const cbUrl = window.location.origin + '/oauth.php?redirect=' + encodeURIComponent(window.location.href);
+  const href = loginUrl || ('https://auth.jakach.ch/?send_to=' + encodeURIComponent(cbUrl));
+  document.getElementById('loginBtn').href = href;
   const errorBox = document.getElementById('authErrorBox');
   if (errorMsg) {
     errorBox.textContent = errorMsg;
     errorBox.classList.remove('d-none');
-    document.getElementById('loginBtn').textContent = 'Try again';
+    document.getElementById('loginBtn').innerHTML = '<i class="bi bi-box-arrow-in-right me-2"></i>Try again';
   } else {
     errorBox.classList.add('d-none');
     document.getElementById('loginBtn').innerHTML = '<i class="bi bi-box-arrow-in-right me-2"></i>Log in using Jakach Login';
@@ -444,11 +447,10 @@ async function api(path, opts = {}) {
   });
   const data = await res.json();
   if (!res.ok) {
-    if (res.status === 401 && data.login_url) {
-      window.location.href = data.login_url;
-      return;
-    }
-    throw new Error(data.error || 'Request failed');
+    const err = new Error(data.error || 'Request failed');
+    err.login_url = data.login_url;
+    err.status = res.status;
+    throw err;
   }
   return data;
 }
diff --git a/public/oauth.php b/public/oauth.php
index 913608e..966cad1 100644
--- a/public/oauth.php
+++ b/public/oauth.php
@@ -5,6 +5,10 @@ require_once __DIR__ . '/../vendor/autoload.php';
 use Jakach\Logging\Storage\Database;
 use Jakach\Logging\Storage\Repository;
 
+$logFile = '/tmp/oauth_debug.log';
+file_put_contents($logFile, date('c') . " oauth.php called\n", FILE_APPEND);
+file_put_contents($logFile, "GET: " . json_encode($_GET) . "\n", FILE_APPEND);
+
 session_set_cookie_params([
     'lifetime' => 86400 * 7,
     'path' => '/',
@@ -16,24 +20,32 @@ session_start();
 $authToken = $_GET['auth'] ?? '';
 $errorRedirect = $_GET['redirect'] ?? '/';
 
+file_put_contents($logFile, "authToken: $authToken\n", FILE_APPEND);
+
 if (!$authToken) {
     $_SESSION['auth_error'] = 'Missing authentication token.';
+    file_put_contents($logFile, "ERROR: missing auth token\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
 
 $checkUrl = 'https://auth.jakach.ch/api/auth/check_auth_key.php?auth_token=' . urlencode($authToken);
+file_put_contents($logFile, "checkUrl: $checkUrl\n", FILE_APPEND);
 
 $ch = curl_init();
 curl_setopt($ch, CURLOPT_URL, $checkUrl);
 curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
-curl_setopt($ch, CURLOPT_TIMEOUT, 10);
+curl_setopt($ch, CURLOPT_TIMEOUT, 15);
 $response = curl_exec($ch);
 $httpCode = curl_getinfo($ch, CURLINFO_HTTP_CODE);
+$curlError = curl_error($ch);
 curl_close($ch);
 
+file_put_contents($logFile, "httpCode: $httpCode response: " . substr($response, 0, 500) . " curlError: $curlError\n", FILE_APPEND);
+
 if ($httpCode !== 200 || !$response) {
-    $_SESSION['auth_error'] = 'Authentication server is unreachable. Please try again later.';
+    $_SESSION['auth_error'] = "Auth server unreachable ($httpCode)";
+    file_put_contents($logFile, "ERROR: bad response $httpCode\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
@@ -42,21 +54,26 @@ $data = json_decode($response, true);
 
 if (!isset($data['status']) || $data['status'] !== 'success') {
     $_SESSION['auth_error'] = 'Authentication failed: ' . ($data['msg'] ?? 'Unknown error');
+    file_put_contents($logFile, "ERROR: auth failed: " . json_encode($data) . "\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
 
 $userToken = $data['user_token'] ?? '';
+file_put_contents($logFile, "Auth success, user_token: $userToken\n", FILE_APPEND);
 
 $db = new Database();
 $repo = new Repository($db);
 
 $allowedTokens = $repo->getAllowedUserTokens();
+file_put_contents($logFile, "allowedTokens: " . json_encode($allowedTokens) . "\n", FILE_APPEND);
 
 if (empty($allowedTokens)) {
+    file_put_contents($logFile, "First user, adding to allowed tokens\n", FILE_APPEND);
     $repo->setAllowedUserTokens([$userToken]);
 } elseif (!in_array($userToken, $allowedTokens, true)) {
     $_SESSION['auth_error'] = 'Your Jakach account is not authorized to access this system. Contact an administrator.';
+    file_put_contents($logFile, "ERROR: user not allowed\n", FILE_APPEND);
     header('Location: ' . $errorRedirect);
     exit;
 }
@@ -69,6 +86,8 @@ $_SESSION['telegram_id'] = $data['telegram_id'] ?? '';
 $_SESSION['user_token'] = $userToken;
 unset($_SESSION['auth_error']);
 
+file_put_contents($logFile, "Session set, redirecting to: $errorRedirect\n", FILE_APPEND);
+
 $redirect = $_GET['redirect'] ?? '/';
 header('Location: ' . $redirect);
 exit;
\ No newline at end of file