diff --git a/authority/authorize.go b/authority/authorize.go
index db2b2414..3353c6b1 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -77,7 +77,7 @@ func (a *Authority) authorizeToken(ctx context.Context, ott string) (provisioner
 		if reuseKey, err := p.GetTokenID(ott); err == nil {
 			ok, err := a.db.UseToken(reuseKey, ott)
 			if err != nil {
-				return nil, &apiError{errors.Wrap(err, "authorizeToken: failed when checking if token already used"),
+				return nil, &apiError{errors.Wrap(err, "authorizeToken: failed when attempting to store token"),
 					http.StatusInternalServerError, errContext}
 			}
 			if !ok {
@@ -163,7 +163,7 @@ func (a *Authority) authorizeRevoke(ctx context.Context, token string) error {
 	if err != nil {
 		return &apiError{errors.Wrap(err, "authorizeRevoke"), http.StatusUnauthorized, errContext}
 	}
-	if err = p.AuthorizeSSHRevoke(ctx, token); err != nil {
+	if err = p.AuthorizeRevoke(ctx, token); err != nil {
 		return &apiError{errors.Wrap(err, "authorizeRevoke"), http.StatusUnauthorized, errContext}
 	}
 	return nil
diff --git a/authority/provisioner/jwk.go b/authority/provisioner/jwk.go
index c47960f9..fa61ee2c 100644
--- a/authority/provisioner/jwk.go
+++ b/authority/provisioner/jwk.go
@@ -118,7 +118,8 @@ func (p *JWK) authorizeToken(token string, audiences []string) (*jwtPayload, err
 
 	// validate audiences with the defaults
 	if !matchesAudience(claims.Audience, audiences) {
-		return nil, errors.New("invalid token: invalid audience claim (aud)")
+		return nil, errors.Errorf("invalid token: invalid audience claim (aud); want %s, but got %s",
+			audiences, claims.Audience)
 	}
 
 	if claims.Subject == "" {