Temporary diagnostic for triaging token-verification 401s. On verify
failure (signature mismatch / expired / kid not in JWKS / wrong aud),
log the underlying error plus a whitelisted decode of the JWT header
(kid, alg, typ) and payload (iss, aud, azp, sub, exp, iat) so the
cause is distinguishable from the log alone.
Only fires on failure — successful requests stay unlogged. The
decodeJWTPart helper whitelists safe metadata fields and never
returns the signature segment.
Remove once the current realm-config drift is settled.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
0ded5ee07a