diff --git a/pkg/serviceaccount/jwt.go b/pkg/serviceaccount/jwt.go
index 77a058b4ffa..735ec7d24da 100644
--- a/pkg/serviceaccount/jwt.go
+++ b/pkg/serviceaccount/jwt.go
@@ -24,11 +24,12 @@ import (
 	"io/ioutil"
 	"strings"
 
-	jwt "github.com/dgrijalva/jwt-go"
-
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/api"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/authenticator"
 	"github.com/GoogleCloudPlatform/kubernetes/pkg/auth/user"
+
+	jwt "github.com/dgrijalva/jwt-go"
+	"github.com/golang/glog"
 )
 
 const (
@@ -141,7 +142,7 @@ type jwtTokenAuthenticator struct {
 func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool, error) {
 	var validationError error
 
-	for _, key := range j.keys {
+	for i, key := range j.keys {
 		// Attempt to verify with each key until we find one that works
 		parsedToken, err := jwt.Parse(token, func(token *jwt.Token) (interface{}, error) {
 			if _, ok := token.Method.(*jwt.SigningMethodRSA); !ok {
@@ -161,6 +162,7 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
 				if (err.Errors & jwt.ValidationErrorSignatureInvalid) != 0 {
 					// Signature error, perhaps one of the other keys will verify the signature
 					// If not, we want to return this error
+					glog.V(4).Infof("Signature error (key %d): %v", i, err)
 					validationError = err
 					continue
 				}
@@ -204,18 +206,22 @@ func (j *jwtTokenAuthenticator) AuthenticateToken(token string) (user.Info, bool
 			// Make sure token hasn't been invalidated by deletion of the secret
 			secret, err := j.getter.GetSecret(namespace, secretName)
 			if err != nil {
+				glog.V(4).Infof("Could not retrieve token %s/%s for service account %s/%s: %v", namespace, secretName, namespace, serviceAccountName, err)
 				return nil, false, errors.New("Token has been invalidated")
 			}
 			if bytes.Compare(secret.Data[api.ServiceAccountTokenKey], []byte(token)) != 0 {
+				glog.V(4).Infof("Token contents no longer matches %s/%s for service account %s/%s", namespace, secretName, namespace, serviceAccountName)
 				return nil, false, errors.New("Token does not match server's copy")
 			}
 
 			// Make sure service account still exists (name and UID)
 			serviceAccount, err := j.getter.GetServiceAccount(namespace, serviceAccountName)
 			if err != nil {
+				glog.V(4).Infof("Could not retrieve service account %s/%s: %v", namespace, serviceAccountName, err)
 				return nil, false, err
 			}
 			if string(serviceAccount.UID) != serviceAccountUID {
+				glog.V(4).Infof("Service account UID no longer matches %s/%s: %q != %q", namespace, serviceAccountName, string(serviceAccount.UID), serviceAccountUID)
 				return nil, false, fmt.Errorf("ServiceAccount UID (%s) does not match claim (%s)", serviceAccount.UID, serviceAccountUID)
 			}
 		}
diff --git a/pkg/serviceaccount/tokens_controller.go b/pkg/serviceaccount/tokens_controller.go
index a800ec9840a..ef3cca65e33 100644
--- a/pkg/serviceaccount/tokens_controller.go
+++ b/pkg/serviceaccount/tokens_controller.go
@@ -171,6 +171,7 @@ func (e *TokensController) serviceAccountDeleted(obj interface{}) {
 		return
 	}
 	for _, secret := range secrets {
+		glog.V(4).Infof("Deleting secret %s/%s because service account %s was deleted", secret.Namespace, secret.Name, serviceAccount.Name)
 		if err := e.deleteSecret(secret); err != nil {
 			glog.Errorf("Error deleting secret %s/%s: %v", secret.Namespace, secret.Name, err)
 		}
@@ -190,6 +191,10 @@ func (e *TokensController) secretAdded(obj interface{}) {
 		if !e.serviceAccountsSynced() {
 			return
 		}
+		glog.V(2).Infof(
+			"Deleting new secret %s/%s because service account %s (uid=%s) was not found",
+			secret.Namespace, secret.Name,
+			secret.Annotations[api.ServiceAccountNameKey], secret.Annotations[api.ServiceAccountUIDKey])
 		if err := e.deleteSecret(secret); err != nil {
 			glog.Errorf("Error deleting secret %s/%s: %v", secret.Namespace, secret.Name, err)
 		}
@@ -211,6 +216,10 @@ func (e *TokensController) secretUpdated(oldObj interface{}, newObj interface{})
 		if !e.serviceAccountsSynced() {
 			return
 		}
+		glog.V(2).Infof(
+			"Deleting updated secret %s/%s because service account %s (uid=%s) was not found",
+			newSecret.Namespace, newSecret.Name,
+			newSecret.Annotations[api.ServiceAccountNameKey], newSecret.Annotations[api.ServiceAccountUIDKey])
 		if err := e.deleteSecret(newSecret); err != nil {
 			glog.Errorf("Error deleting secret %s/%s: %v", newSecret.Namespace, newSecret.Name, err)
 		}