diff --git a/authority/authorize.go b/authority/authorize.go
index 2d63a58e..9f2823e5 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -55,7 +55,7 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
 	// This method will also validate the audiences for JWK provisioners.
 	p, ok := a.provisioners.LoadByToken(token, &claims.Claims)
 	if !ok {
-		return nil, &apiError{errors.New("authorize: provisioner not found or invalid audience"),
+		return nil, &apiError{errors.Errorf("authorize: provisioner not found or invalid audience %s", claims.Audience),
 			http.StatusUnauthorized, errContext}
 	}