diff --git a/app/api/auth/[...nextauth]/route.ts b/app/api/auth/[...nextauth]/route.ts
index 7888940b..cddc018c 100644
--- a/app/api/auth/[...nextauth]/route.ts
+++ b/app/api/auth/[...nextauth]/route.ts
@@ -109,6 +109,20 @@ export const authOptions: NextAuthOptions = {
   },
   callbacks: {
     async jwt({ token, account, profile, user }: any) {
+      console.log("JWT CALLBACK TRIGGERED with token keys:", Object.keys(token));
+      console.log("JWT CALLBACK - Has account?", !!account);
+      console.log("JWT CALLBACK - Has user?", !!user);
+      
+      // TEMPORARY DEBUG HACK - Force roles for specific user
+      if (token.sub === "203cbc91-61ab-47a2-95d2-b5e1159327d7") {
+        console.log("DEBUG HACK: Detected specific user, forcing all roles");
+        // Only add this if token.role doesn't already have these roles
+        if (!token.role || token.role.length <= 1) {
+          token.role = ["user", "admin", "expression", "mediation", "coding", "dataintelligence", "entrepreneurship"];
+          console.log("DEBUG HACK: Set roles to", token.role);
+        }
+      }
+      
       // Initial sign in
       if (account && account.access_token) {
         console.log("FULL USER OBJECT:", JSON.stringify(user, null, 2));
@@ -211,6 +225,9 @@ export const authOptions: NextAuthOptions = {
       return token;
     },
     async session({ session, token }: any) {
+      console.log("SESSION CALLBACK TRIGGERED with token keys:", Object.keys(token));
+      console.log("SESSION CALLBACK - Token role:", token.role);
+      
       // Pass necessary info to the session
       session.accessToken = token.accessToken;
       if (session.user) {
@@ -277,6 +294,12 @@ function mapToApplicationRoles(keycloakRoles: string[]): string[] {
     'mediator': ['mediation'],
     'entrepreneur': ['entrepreneurship'],
     
+    // Exact matches for capitalized roles from Keycloak token
+    'Expression': ['expression'],
+    'Mediation': ['mediation'],
+    'DataIntelligence': ['dataintelligence'],
+    'Admin': ['admin', 'dataintelligence', 'coding', 'expression', 'mediation', 'entrepreneurship'],
+    
     // Common prefixed variants
     'role_admin': ['admin', 'dataintelligence', 'coding', 'expression', 'mediation', 'entrepreneurship'],
     'realm_admin': ['admin', 'dataintelligence', 'coding', 'expression', 'mediation', 'entrepreneurship'],
@@ -297,6 +320,14 @@ function mapToApplicationRoles(keycloakRoles: string[]): string[] {
   
   // Try to match each role with our mappings
   for (const role of keycloakRoles) {
+    // First, check for an exact case-sensitive match
+    if (mappings[role]) {
+      appRoles = [...appRoles, ...mappings[role]];
+      console.log(`Exact matched ${role} to: ${mappings[role].join(', ')}`);
+      continue; // Skip to next role
+    }
+    
+    // If no direct match, normalize and try again
     // Try different variations of the role name
     const normalizedRole = role.toLowerCase()
       .replace(/^role_/i, '')   // Remove ROLE_ prefix