diff --git a/CHANGELOG.next.asciidoc b/CHANGELOG.next.asciidoc
index 09016e3fd..de32f656f 100644
--- a/CHANGELOG.next.asciidoc
+++ b/CHANGELOG.next.asciidoc
@@ -4,6 +4,7 @@
 - Give a grace period when starting the unenroll monitor. {issue}1500[1500]
 - Fixes a race condition between the unenroller goroutine and the main goroutine for the coordinator monitor. {issues}1738[1738]
 - Remove events from agent checkin body. {issue}1774[1774]
+- Improve authc debug logging. {pull}1870[1870]
 - Add error detail to catch-all HTTP error response. {pull}1854[1854]
 
 ==== New Features
diff --git a/internal/pkg/api/auth.go b/internal/pkg/api/auth.go
index d83c7d8ae..9e9151c72 100644
--- a/internal/pkg/api/auth.go
+++ b/internal/pkg/api/auth.go
@@ -33,6 +33,8 @@ var (
 func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKey, error) {
 	span, ctx := apm.StartSpan(r.Context(), "authAPIKey", "auth")
 	defer span.End()
+	start := time.Now()
+	reqID := r.Header.Get(logger.HeaderRequestID)
 
 	key, err := apikey.ExtractAPIKey(r)
 	if err != nil {
@@ -41,15 +43,17 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 
 	if c.ValidAPIKey(*key) {
 		span.Context.SetLabel("api_key_cache_hit", true)
+		log.Debug().
+			Str("id", key.ID).
+			Str(ECSHTTPRequestID, reqID).
+			Int64(ECSEventDuration, time.Since(start).Nanoseconds()).
+			Bool("fleet.api_key.cache_hit", true).
+			Msg("ApiKey authenticated")
 		return key, nil
 	} else {
 		span.Context.SetLabel("api_key_cache_hit", false)
 	}
 
-	reqID := r.Header.Get(logger.HeaderRequestID)
-
-	start := time.Now()
-
 	info, err := bulker.APIKeyAuth(ctx, *key)
 
 	if err != nil {
@@ -62,7 +66,7 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 		return nil, err
 	}
 
-	log.Trace().
+	log.Debug().
 		Str("id", key.ID).
 		Str(ECSHTTPRequestID, reqID).
 		Int64(ECSEventDuration, time.Since(start).Nanoseconds()).
@@ -70,6 +74,7 @@ func authAPIKey(r *http.Request, bulker bulk.Bulk, c cache.Cache) (*apikey.APIKe
 		Strs("roles", info.Roles).
 		Bool("enabled", info.Enabled).
 		RawJSON("meta", info.Metadata).
+		Bool("fleet.api_key.cache_hit", false).
 		Msg("ApiKey authenticated")
 
 	c.SetAPIKey(*key, info.Enabled)