diff --git a/internal/ghl/oauth.go b/internal/ghl/oauth.go
index df05885..2536b2a 100644
--- a/internal/ghl/oauth.go
+++ b/internal/ghl/oauth.go
@@ -90,6 +90,12 @@ func (h *OAuthHandler) HandleCallback(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if tokenResp.LocationID == "" {
+		slog.Error("ghl oauth token missing locationId", "company_id", tokenResp.CompanyID, "user_type", tokenResp.UserType)
+		http.Error(w, "GHL token response did not include a locationId — ensure you selected a sub-account (Location), not an Agency, during authorization", http.StatusBadRequest)
+		return
+	}
+
 	expiresAt := time.Now().Add(time.Duration(tokenResp.ExpiresIn) * time.Second)
 	record := &store.TokenRecord{
 		LocationID:   tokenResp.LocationID,
@@ -196,5 +202,6 @@ func (h *OAuthHandler) postToken(ctx context.Context, data url.Values) (*TokenRe
 	if err := json.Unmarshal(body, &tokenResp); err != nil {
 		return nil, fmt.Errorf("failed to parse token response: %w", err)
 	}
+	slog.Info("ghl token response fields", "location_id", tokenResp.LocationID, "company_id", tokenResp.CompanyID, "user_type", tokenResp.UserType)
 	return &tokenResp, nil
 }