diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index cc4ec9c3d7..8eade50a03 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -4,6 +4,8 @@
 - Give a grace period when starting the unenroll monitor. {issue}1500[1500]
 - Fixes a race condition between the unenroller goroutine and the main goroutine for the coordinator monitor. {issues}1738[1738]
 - Remove events from agent checkin body. {issue}1774[1774]
+- Improve authc debug logging. {pull}1870[1870]
+- Add error detail to catch-all HTTP error response. {pull}1854[1854]
 
 ==== New Features
 
diff --git a/dev-tools/integration/.env b/dev-tools/integration/.env
index ba2f075611..8d460e721f 100644
--- a/dev-tools/integration/.env
+++ b/dev-tools/integration/.env
@@ -1,4 +1,4 @@
-ELASTICSEARCH_VERSION=8.5.0-589a4a10-SNAPSHOT
+ELASTICSEARCH_VERSION=8.5.0-c7913db3-SNAPSHOT
 ELASTICSEARCH_USERNAME=elastic
 ELASTICSEARCH_PASSWORD=changeme
 TEST_ELASTICSEARCH_HOSTS=localhost:9200
\ No newline at end of file
diff --git a/internal/pkg/api/auth.go b/internal/pkg/api/auth.go
index d83c7d8aec..9e9151c726 100644
--- a/internal/pkg/api/auth.go
+++ b/internal/pkg/api/auth.go
@@ -33,6 +33,8 @@ var (
 func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKey, error) {
 	span, ctx := apm.StartSpan(r.Context(), "authAPIKey", "auth")
 	defer span.End()
+	start := time.Now()
+	reqID := r.Header.Get(logger.HeaderRequestID)
 
 	key, err := apikey.ExtractAPIKey(r)
 	if err != nil {
@@ -41,15 +43,17 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 
 	if c.ValidAPIKey(*key) {
 		span.Context.SetLabel("api_key_cache_hit", true)
+		log.Debug().
+			Str("id", key.ID).
+			Str(ECSHTTPRequestID, reqID).
+			Int64(ECSEventDuration, time.Since(start).Nanoseconds()).
+			Bool("fleet.api_key.cache_hit", true).
+			Msg("ApiKey authenticated")
 		return key, nil
 	} else {
 		span.Context.SetLabel("api_key_cache_hit", false)
 	}
 
-	reqID := r.Header.Get(logger.HeaderRequestID)
-
-	start := time.Now()
-
 	info, err := bulker.APIKeyAuth(ctx, *key)
 
 	if err != nil {
@@ -62,7 +66,7 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 		return nil, err
 	}
 
-	log.Trace().
+	log.Debug().
 		Str("id", key.ID).
 		Str(ECSHTTPRequestID, reqID).
 		Int64(ECSEventDuration, time.Since(start).Nanoseconds()).
@@ -70,6 +74,7 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 		Strs("roles", info.Roles).
 		Bool("enabled", info.Enabled).
 		RawJSON("meta", info.Metadata).
+		Bool("fleet.api_key.cache_hit", false).
 		Msg("ApiKey authenticated")
 
 	c.SetAPIKey(*key, info.Enabled)
diff --git a/internal/pkg/api/error.go b/internal/pkg/api/error.go
index e349adf172..a044d6cdb7 100644
--- a/internal/pkg/api/error.go
+++ b/internal/pkg/api/error.go
@@ -161,6 +161,7 @@ func NewHTTPErrResp(err error) HTTPErrResp {
 	return HTTPErrResp{
 		StatusCode: http.StatusBadRequest,
 		Error:      "BadRequest",
+		Message:    err.Error(),
 		Level:      zerolog.InfoLevel,
 	}
 }