diff --git a/apps/web/src/app/api/auth/set-session/route.ts b/apps/web/src/app/api/auth/set-session/route.ts
index e079bd7f..f625d349 100644
--- a/apps/web/src/app/api/auth/set-session/route.ts
+++ b/apps/web/src/app/api/auth/set-session/route.ts
@@ -69,6 +69,14 @@ export async function POST(request: NextRequest) {
     refresh_token: refreshToken,
   });
 
+  // TEMP DIAG: remove after magic-link bounce bug is resolved
+  console.log(
+    '[auth/set-session] setSession',
+    error ? `error: ${error.message}` : 'ok',
+    'response cookies:',
+    response.cookies.getAll().map((c) => c.name),
+  );
+
   if (error) {
     console.error('[auth/set-session] setSession failed:', error.message);
     // Return a fresh NextResponse — not `response` — to avoid leaking any
diff --git a/apps/web/src/app/auth/callback/route.ts b/apps/web/src/app/auth/callback/route.ts
index 59842777..519911d2 100644
--- a/apps/web/src/app/auth/callback/route.ts
+++ b/apps/web/src/app/auth/callback/route.ts
@@ -73,6 +73,15 @@ export async function GET(request: NextRequest) {
         setAll(
           cookiesToSet: { name: string; value: string; options: CookieOptions }[],
         ) {
+          // TEMP DIAG: remove after magic-link bounce bug is resolved
+          console.log(
+            '[auth/callback] setAll',
+            cookiesToSet.map((c) => ({
+              name: c.name,
+              len: c.value.length,
+              options: c.options,
+            })),
+          );
           cookiesToSet.forEach(({ name, value }) =>
             request.cookies.set(name, value),
           );
@@ -185,5 +194,12 @@ export async function GET(request: NextRequest) {
     }
   }
 
+  // TEMP DIAG: remove after magic-link bounce bug is resolved
+  console.log(
+    '[auth/callback] returning redirect',
+    redirectUrl.toString(),
+    'cookies:',
+    response.cookies.getAll().map((c) => c.name),
+  );
   return response;
 }
diff --git a/apps/web/src/middleware.ts b/apps/web/src/middleware.ts
index 42a8663f..1a8ff501 100644
--- a/apps/web/src/middleware.ts
+++ b/apps/web/src/middleware.ts
@@ -29,7 +29,21 @@ export async function middleware(request: NextRequest) {
   );
 
   // Refresh session (do not remove this line)
-  const { data: { user } } = await supabase.auth.getUser();
+  const { data: { user }, error } = await supabase.auth.getUser();
+
+  // TEMP DIAG: remove after magic-link bounce bug is resolved.
+  // Surfaces which sb-* cookies arrived and whether getUser rejected them.
+  const sbCookies = request.cookies
+    .getAll()
+    .filter((c) => c.name.startsWith('sb-'))
+    .map((c) => ({ name: c.name, len: c.value.length }));
+  console.log(
+    '[middleware]',
+    request.nextUrl.pathname,
+    'sbCookies:', sbCookies,
+    'user:', user?.id ?? null,
+    'error:', error?.message ?? null,
+  );
 
   // Redirect unauthenticated users from protected routes to login
   const pathname = request.nextUrl.pathname;