diff --git a/cli/config/configurator.go b/cli/config/configurator.go
index 244b5fe479..8015a8bfdd 100644
--- a/cli/config/configurator.go
+++ b/cli/config/configurator.go
@@ -117,7 +117,7 @@ func (c Configurator) Start(ctx context.Context, prev *Config, flags agentConfig
 
 	_, err = c.handleOAuth(ctx, cfg, prev)
 	if err != nil {
-		c.logger.Error("Could not handle OAuth", zap.Error(err))
+		c.logger.Debug("Could not handle OAuth", zap.Error(err))
 		return err
 	}
 
@@ -265,7 +265,7 @@ func (c Configurator) handleOAuth(ctx context.Context, cfg Config, prev *Config)
 		var err error
 		cfg, err = c.exchangeToken(cfg, c.flags.Token)
 		if err != nil {
-			c.logger.Error("Could not exchange token", zap.Error(err))
+			c.logger.Debug("could not exchange token", zap.Error(err))
 			return Config{}, err
 		}
 	}
@@ -304,7 +304,6 @@ func (c Configurator) exchangeToken(cfg Config, token string) (Config, error) {
 	c.logger.Debug("Exchanging token", zap.String("token", token))
 	jwt, err := oauth.ExchangeToken(cfg.OAuthEndpoint(), token)
 	if err != nil {
-		c.logger.Error("Could not exchange token", zap.Error(err))
 		return Config{}, err
 	}
 
diff --git a/cli/pkg/oauth/oauth.go b/cli/pkg/oauth/oauth.go
index 402c51859a..2f2891e993 100644
--- a/cli/pkg/oauth/oauth.go
+++ b/cli/pkg/oauth/oauth.go
@@ -85,6 +85,19 @@ func SetLogger(l *zap.Logger) {
 	logger = l
 }
 
+type oauthError struct {
+	err error
+	msg string
+}
+
+func (e oauthError) Error() string {
+	return e.err.Error()
+}
+
+func (e oauthError) Message() string {
+	return e.msg
+}
+
 func ExchangeToken(endpoint string, token string) (string, error) {
 	logger.Debug("Exchanging token", zap.String("endpoint", endpoint), zap.String("token", token))
 	req, err := http.NewRequest("GET", fmt.Sprintf("%s/tokens/%s/exchange", endpoint, token), nil)
@@ -95,16 +108,24 @@ func ExchangeToken(endpoint string, token string) (string, error) {
 
 	res, err := http.DefaultClient.Do(req)
 	if err != nil {
-		logger.Debug("Failed to exchange token", zap.Error(err))
-		return "", fmt.Errorf("failed to exchange token: %w", err)
+		logger.Debug("Cannot create exchange token request", zap.Error(err))
+		return "", fmt.Errorf("cannot create exchange token request: %w", err)
 	}
+	defer res.Body.Close()
 
-	if res.StatusCode != http.StatusCreated {
-		logger.Debug("Failed to exchange token", zap.String("status", res.Status))
-		return "", fmt.Errorf("failed to exchange token: %s", res.Status)
+	switch res.StatusCode {
+	case http.StatusNotFound:
+		return "", oauthError{err: fmt.Errorf("token not found"), msg: "Token not found"}
+	case http.StatusUnauthorized:
+		return "", oauthError{err: fmt.Errorf("token expired"), msg: "Token has expired"}
+	case http.StatusCreated:
+		logger.Debug("Token exchanged")
+	default:
+		b, _ := io.ReadAll(res.Body)
+		logger.Debug("Failed to exchange token", zap.String("status", res.Status), zap.String("response", string(b)))
+		return "", oauthError{err: fmt.Errorf("failed to exchange token: %s", res.Status), msg: "Unexpected error exchanging token"}
 	}
 
-	defer res.Body.Close()
 	body, err := io.ReadAll(res.Body)
 	if err != nil {
 		logger.Debug("Failed to read response body", zap.Error(err))