diff --git a/backend/app/api/auth.py b/backend/app/api/auth.py
index 4e76906..6a637d3 100644
--- a/backend/app/api/auth.py
+++ b/backend/app/api/auth.py
@@ -119,6 +119,7 @@ async def pocketid_callback(code: str, db: AsyncSession = Depends(get_db)):
                   "client_id": client_id, "client_secret": client_secret},
         )
         if resp.status_code != 200:
+            print(f"PocketID token exchange failed ({resp.status_code}): {resp.text}")
             raise HTTPException(status_code=400, detail="Token exchange failed")
         tokens = resp.json()
         userinfo_resp = await client.get(
diff --git a/backend/app/api/profile.py b/backend/app/api/profile.py
index 0e307d4..c1e9977 100644
--- a/backend/app/api/profile.py
+++ b/backend/app/api/profile.py
@@ -154,8 +154,10 @@ async def save_pocketid_config(
         current_user.pocketid_issuer = body.issuer.rstrip("/") if body.issuer else None
     if body.client_id is not None:
         current_user.pocketid_client_id = body.client_id or None
-    if body.client_secret is not None:
-        current_user.pocketid_client_secret = body.client_secret or None
+    # Only overwrite the secret when a non-empty value is supplied; a blank
+    # field means "keep the existing secret" (matches the UI hint).
+    if body.client_secret:
+        current_user.pocketid_client_secret = body.client_secret
     if body.allowed_group is not None:
         current_user.pocketid_allowed_group = body.allowed_group.strip() or None
     await db.commit()
diff --git a/milevault_export/backend/app/api/auth.py b/milevault_export/backend/app/api/auth.py
index 4e76906..6a637d3 100644
--- a/milevault_export/backend/app/api/auth.py
+++ b/milevault_export/backend/app/api/auth.py
@@ -119,6 +119,7 @@ async def pocketid_callback(code: str, db: AsyncSession = Depends(get_db)):
                   "client_id": client_id, "client_secret": client_secret},
         )
         if resp.status_code != 200:
+            print(f"PocketID token exchange failed ({resp.status_code}): {resp.text}")
             raise HTTPException(status_code=400, detail="Token exchange failed")
         tokens = resp.json()
         userinfo_resp = await client.get(
diff --git a/milevault_export/backend/app/api/profile.py b/milevault_export/backend/app/api/profile.py
index 0e307d4..c1e9977 100644
--- a/milevault_export/backend/app/api/profile.py
+++ b/milevault_export/backend/app/api/profile.py
@@ -154,8 +154,10 @@ async def save_pocketid_config(
         current_user.pocketid_issuer = body.issuer.rstrip("/") if body.issuer else None
     if body.client_id is not None:
         current_user.pocketid_client_id = body.client_id or None
-    if body.client_secret is not None:
-        current_user.pocketid_client_secret = body.client_secret or None
+    # Only overwrite the secret when a non-empty value is supplied; a blank
+    # field means "keep the existing secret" (matches the UI hint).
+    if body.client_secret:
+        current_user.pocketid_client_secret = body.client_secret
     if body.allowed_group is not None:
         current_user.pocketid_allowed_group = body.allowed_group.strip() or None
     await db.commit()