diff --git a/server/api/debug/test-token-exchange.ts b/server/api/debug/test-token-exchange.ts
new file mode 100644
index 0000000..fafa4f5
--- /dev/null
+++ b/server/api/debug/test-token-exchange.ts
@@ -0,0 +1,37 @@
+export default defineEventHandler(async (event) => {
+  // Test the actual token exchange that's failing
+  const config = useRuntimeConfig()
+  
+  const testCode = "test-code-123" // We won't use this for real exchange, just test setup
+  
+  const tokenRequest = {
+    grant_type: 'authorization_code',
+    client_id: process.env.KEYCLOAK_CLIENT_ID,
+    client_secret: process.env.KEYCLOAK_CLIENT_SECRET,
+    code: testCode,
+    redirect_uri: 'https://client.portnimara.dev/oidc/cbt',
+  }
+  
+  return {
+    message: "Token exchange test configuration",
+    issuer: process.env.KEYCLOAK_ISSUER,
+    tokenEndpoint: `${process.env.KEYCLOAK_ISSUER}/protocol/openid-connect/token`,
+    clientId: process.env.KEYCLOAK_CLIENT_ID,
+    clientSecretLength: process.env.KEYCLOAK_CLIENT_SECRET?.length || 0,
+    redirectUri: 'https://client.portnimara.dev/oidc/cbt',
+    requestPayload: {
+      grant_type: tokenRequest.grant_type,
+      client_id: tokenRequest.client_id,
+      client_secret: tokenRequest.client_secret ? '***MASKED***' : 'NOT_SET',
+      code: 'test-code-will-be-replaced',
+      redirect_uri: tokenRequest.redirect_uri,
+    },
+    // Test the actual HTTP vs HTTPS issue
+    environment: {
+      NODE_ENV: process.env.NODE_ENV,
+      headers: getHeaders(event),
+      host: getHeader(event, 'host'),
+      protocol: getHeader(event, 'x-forwarded-proto') || 'http',
+    }
+  }
+})