diff --git a/.gitea/workflows/kubernetes-deploy.yaml b/.gitea/workflows/kubernetes-deploy.yaml
index ec55d0b..daf1fc2 100644
--- a/.gitea/workflows/kubernetes-deploy.yaml
+++ b/.gitea/workflows/kubernetes-deploy.yaml
@@ -42,16 +42,31 @@ jobs:
       - name: Exchange for K8s OIDC token via Kanidm
         id: k8s
         run: |
-          RESPONSE=$(curl -sf -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
+          API_TOKEN="${{ steps.vault.outputs.api_token }}"
+          echo "api_token length: ${#API_TOKEN}" >&2
+          echo "api_token prefix (first 8 chars): ${API_TOKEN:0:8}..." >&2
+
+          HTTP_BODY=$(mktemp)
+          HTTP_STATUS=$(curl -sS -X POST "https://idm.home.hrajfrisbee.cz/oauth2/token" \
             -d "grant_type=urn:ietf:params:oauth:grant-type:token-exchange" \
             -d "client_id=k8s" \
-            -d "subject_token=${{ steps.vault.outputs.api_token }}" \
+            -d "subject_token=${API_TOKEN}" \
             -d "subject_token_type=urn:ietf:params:oauth:token-type:access_token" \
             -d "audience=k8s" \
-            -d "scope=openid groups")
+            -d "scope=openid groups" \
+            -o "$HTTP_BODY" -w "%{http_code}")
 
-          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token')
-          [ "$ID_TOKEN" != "null" ] && [ -n "$ID_TOKEN" ] || { echo "::error::Kanidm token exchange failed"; echo "$RESPONSE" | jq . >&2; exit 1; }
+          echo "HTTP status: $HTTP_STATUS" >&2
+          echo "Response body:" >&2
+          cat "$HTTP_BODY" >&2
+
+          RESPONSE=$(cat "$HTTP_BODY")
+          ID_TOKEN=$(echo "$RESPONSE" | jq -r '.id_token // empty')
+
+          if [ -z "$ID_TOKEN" ]; then
+            echo "::error::Kanidm token exchange failed (HTTP $HTTP_STATUS)"
+            exit 1
+          fi
 
           echo "::add-mask::${ID_TOKEN}"
           echo "id_token=${ID_TOKEN}" >> "$GITHUB_OUTPUT"