diff --git a/server/src/api.rs b/server/src/api.rs
index 679fab4..7d88cb3 100644
--- a/server/src/api.rs
+++ b/server/src/api.rs
@@ -174,12 +174,17 @@ pub enum ApiError {
     AuthenticationRequired(String),
     #[error("invalid ssh signature")]
     InvalidSignature,
+    #[error("malformed ssh signature: {0}")]
+    ParseSignature(anyhow::Error),
+    #[error("malformed ssh certificate: {0}")]
+    ParseCertificate(anyhow::Error),
 }
 
 type ApiResult<T> = Result<T, ApiError>;
 
 impl IntoResponse for ApiError {
     fn into_response(self) -> axum::response::Response {
+        trace!({ error = ?self }, "returned error for request");
         (
             match self {
                 Self::CertificateNotFound => StatusCode::NOT_FOUND,
diff --git a/server/src/api/extract.rs b/server/src/api/extract.rs
index 37a4eee..8e1731f 100644
--- a/server/src/api/extract.rs
+++ b/server/src/api/extract.rs
@@ -21,7 +21,7 @@ where
             .context("failed to extract body")?;
 
         let cert = Certificate::from_openssh(&body)
-            .with_context(|| format!("failed to parse '{}'", body))?;
+            .with_context(|| format!("failed to parse '{}'", body)).map_err(ApiError::ParseCertificate)?;
         trace!(%body, "extracted certificate");
         Ok(Self(cert))
     }
@@ -42,7 +42,7 @@ where
             .await
             .context("failed to extract body")?;
 
-        let sig = SshSig::from_pem(&body).with_context(|| format!("failed to parse '{}'", body))?;
+        let sig = SshSig::from_pem(&body).with_context(|| format!("failed to parse '{}'", body)).map_err(ApiError::ParseSignature)?;
         trace!(%body, "extracted signature");
         Ok(Self(sig))
     }