diff --git a/cmd/server/authentication/authentication.go b/cmd/server/authentication/authentication.go
index 9961360..614bf7c 100644
--- a/cmd/server/authentication/authentication.go
+++ b/cmd/server/authentication/authentication.go
@@ -27,17 +27,22 @@ func AuthenticationServerMiddleware(cfg *config.AuthenticationServerConfig, next
 				client = &http.Client{}
 			}
 		})
-
 		accessKey := r.Header.Get(core.AccessKeyHeader)
 		account := r.Header.Get(core.AccountHeader)
 		cluster := r.Header.Get(core.ClusterNameHeader)
 
 		if accessKey == "" || account == "" || cluster == "" {
+			logger.L().Error("missing headers on incoming connection",
+				helpers.Int("accessKey (length)", len(accessKey)),
+				helpers.String("account", account),
+				helpers.String("cluster", cluster))
+
 			w.WriteHeader(http.StatusUnauthorized)
 			return
 		}
 
 		if client != nil {
+
 			u, err := url.Parse(cfg.Url)
 			if err != nil {
 				panic(err)
@@ -50,6 +55,9 @@ func AuthenticationServerMiddleware(cfg *config.AuthenticationServerConfig, next
 			}
 			u.RawQuery = q.Encode()
 
+			logger.L().Debug("creating authentication request",
+				helpers.String("url", u.String()))
+
 			authenticationRequest, err := http.NewRequestWithContext(r.Context(), http.MethodGet, u.String(), nil)
 			if err != nil {
 				logger.L().Error("unable to create authentication request", helpers.Error(err))
@@ -60,14 +68,33 @@ func AuthenticationServerMiddleware(cfg *config.AuthenticationServerConfig, next
 			for origin, dest := range cfg.HeaderToHeaderMapping {
 				authenticationRequest.Header.Set(dest, r.Header.Get(origin))
 			}
+			logger.L().Debug("authenticating incoming connection",
+				helpers.Int("accessKey (length)", len(accessKey)),
+				helpers.String("account", account),
+				helpers.String("cluster", cluster),
+				helpers.String("url", u.String()))
 
 			response, err := client.Do(authenticationRequest)
-			if err != nil || response.StatusCode != http.StatusOK {
+			if err != nil {
+				logger.L().Error("authentication request failed", helpers.Error(err),
+					helpers.String("account", account),
+					helpers.String("cluster", cluster),
+					helpers.String("url", u.String()))
+				w.WriteHeader(http.StatusUnauthorized)
+				return
+			} else if response.StatusCode != http.StatusOK {
+				logger.L().Error("authentication server did not authorize the connection",
+					helpers.Int("accessKey (length)", len(accessKey)),
+					helpers.String("account", account),
+					helpers.String("cluster", cluster),
+					helpers.Int("statusCode", response.StatusCode))
 				w.WriteHeader(http.StatusUnauthorized)
 				return
 			}
 		}
 
+		logger.L().Debug("connection authenticated", helpers.String("account", account), helpers.String("cluster", cluster))
+
 		// create new context with client identifier
 		ctx := context.WithValue(r.Context(), domain.ContextKeyClientIdentifier, domain.ClientIdentifier{
 			Account: account,