diff --git a/backend/src/auth/oidc.ts b/backend/src/auth/oidc.ts
index 6e7508e..0ef0a3f 100644
--- a/backend/src/auth/oidc.ts
+++ b/backend/src/auth/oidc.ts
@@ -170,10 +170,27 @@ export async function verifyToken(tokenSet: TokenSet): Promise<boolean> {
   }
 }
 
+// Cache userinfo responses to avoid hitting the OIDC provider on every request.
+// Entries expire after 5 minutes. The cache is keyed by the raw access token.
+const userinfoCache = new Map<string, { user: AuthenticatedUser; expiresAt: number }>();
+const USERINFO_CACHE_TTL_MS = 5 * 60 * 1000;
+
 export async function verifyBearerToken(accessToken: string): Promise<AuthenticatedUser> {
+  const cached = userinfoCache.get(accessToken);
+  if (cached && Date.now() < cached.expiresAt) {
+    return cached.user;
+  }
+
   const client = getOIDCClient();
 
-  const userInfo = await client.userinfo(accessToken);
+  let userInfo: Awaited<ReturnType<typeof client.userinfo>>;
+  try {
+    userInfo = await client.userinfo(accessToken);
+  } catch (err) {
+    // Remove any stale cache entry for this token
+    userinfoCache.delete(accessToken);
+    throw err;
+  }
 
   const id = String(userInfo.sub);
   const username = String(userInfo.preferred_username || userInfo.name || id);
@@ -184,5 +201,7 @@ export async function verifyBearerToken(accessToken: string): Promise<Authentica
     throw new Error('Email not provided by OIDC provider');
   }
 
-  return { id, username, fullName, email };
+  const user: AuthenticatedUser = { id, username, fullName, email };
+  userinfoCache.set(accessToken, { user, expiresAt: Date.now() + USERINFO_CACHE_TTL_MS });
+  return user;
 }
\ No newline at end of file
diff --git a/backend/src/middleware/auth.ts b/backend/src/middleware/auth.ts
index 309bee2..05ced03 100644
--- a/backend/src/middleware/auth.ts
+++ b/backend/src/middleware/auth.ts
@@ -16,14 +16,17 @@ export async function requireAuth(
 
   // 2. Bearer token auth (iOS / native clients)
   const authHeader = req.headers.authorization;
+  console.log('[requireAuth] authorization header:', authHeader ? `${authHeader.slice(0, 20)}…` : '(none)');
   if (authHeader?.startsWith('Bearer ')) {
     const accessToken = authHeader.slice(7);
     try {
       const user = await verifyBearerToken(accessToken);
       req.user = user;
       return next();
-    } catch {
-      res.status(401).json({ error: 'Unauthorized' });
+    } catch (err) {
+      const message = err instanceof Error ? err.message : String(err);
+      console.error('[requireAuth] verifyBearerToken failed:', err);
+      res.status(401).json({ error: `Unauthorized: ${message}` });
       return;
     }
   }
diff --git a/ios/TimeTracker/TimeTracker/Core/Auth/AuthService.swift b/ios/TimeTracker/TimeTracker/Core/Auth/AuthService.swift
index 5763735..f6e9c3b 100644
--- a/ios/TimeTracker/TimeTracker/Core/Auth/AuthService.swift
+++ b/ios/TimeTracker/TimeTracker/Core/Auth/AuthService.swift
@@ -198,7 +198,7 @@ extension Notification.Name {
 
 struct TokenResponse: Codable {
     let accessToken: String
-    let idToken: String
+    let idToken: String?
     let tokenType: String
     let expiresIn: Int?
     let user: User
diff --git a/ios/TimeTracker/TimeTracker/Core/Network/APIClient.swift b/ios/TimeTracker/TimeTracker/Core/Network/APIClient.swift
index 514043a..956046f 100644
--- a/ios/TimeTracker/TimeTracker/Core/Network/APIClient.swift
+++ b/ios/TimeTracker/TimeTracker/Core/Network/APIClient.swift
@@ -60,10 +60,11 @@ actor APIClient {
             }
             
             if httpResponse.statusCode == 401 {
+                let message = try? decoder.decode(ErrorResponse.self, from: data).error
                 await MainActor.run {
                     AuthManager.shared.clearAuth()
                 }
-                throw NetworkError.unauthorized
+                throw NetworkError.httpError(statusCode: 401, message: message)
             }
             
             guard (200...299).contains(httpResponse.statusCode) else {
@@ -131,10 +132,11 @@ actor APIClient {
             }
             
             if httpResponse.statusCode == 401 {
+                let message = try? decoder.decode(ErrorResponse.self, from: data).error
                 await MainActor.run {
                     AuthManager.shared.clearAuth()
                 }
-                throw NetworkError.unauthorized
+                throw NetworkError.httpError(statusCode: 401, message: message)
             }
             
             guard (200...299).contains(httpResponse.statusCode) else {
diff --git a/ios/TimeTracker/TimeTracker/Core/Network/APIEndpoints.swift b/ios/TimeTracker/TimeTracker/Core/Network/APIEndpoints.swift
index f36d8ee..6def79d 100644
--- a/ios/TimeTracker/TimeTracker/Core/Network/APIEndpoints.swift
+++ b/ios/TimeTracker/TimeTracker/Core/Network/APIEndpoints.swift
@@ -9,22 +9,22 @@ enum APIEndpoint {
     static let me = "/auth/me"
     
     // Clients
-    static let clients = "/api/clients"
-    static func client(id: String) -> String { "/api/clients/\(id)" }
+    static let clients = "/clients"
+    static func client(id: String) -> String { "/clients/\(id)" }
     
     // Projects
-    static let projects = "/api/projects"
-    static func project(id: String) -> String { "/api/projects/\(id)" }
+    static let projects = "/projects"
+    static func project(id: String) -> String { "/projects/\(id)" }
     
     // Time Entries
-    static let timeEntries = "/api/time-entries"
-    static let timeEntriesStatistics = "/api/time-entries/statistics"
-    static func timeEntry(id: String) -> String { "/api/time-entries/\(id)" }
+    static let timeEntries = "/time-entries"
+    static let timeEntriesStatistics = "/time-entries/statistics"
+    static func timeEntry(id: String) -> String { "/time-entries/\(id)" }
     
     // Timer
-    static let timer = "/api/timer"
-    static let timerStart = "/api/timer/start"
-    static let timerStop = "/api/timer/stop"
+    static let timer = "/timer"
+    static let timerStart = "/timer/start"
+    static let timerStop = "/timer/stop"
 }
 
 struct APIEndpoints {