diff --git a/authority/authorize.go b/authority/authorize.go
index 9f2823e5..d0d04121 100644
--- a/authority/authorize.go
+++ b/authority/authorize.go
@@ -3,6 +3,7 @@ package authority
 import (
 	"crypto/x509"
 	"net/http"
+	"strings"
 	"time"
 
 	"github.com/pkg/errors"
@@ -55,7 +56,8 @@ func (a *Authority) Authorize(ott string) ([]provisioner.SignOption, error) {
 	// This method will also validate the audiences for JWK provisioners.
 	p, ok := a.provisioners.LoadByToken(token, &claims.Claims)
 	if !ok {
-		return nil, &apiError{errors.Errorf("authorize: provisioner not found or invalid audience %s", claims.Audience),
+		return nil, &apiError{
+			errors.Errorf("authorize: provisioner not found or invalid audience (%s)", strings.Join(claims.Audience, ", ")),
 			http.StatusUnauthorized, errContext}
 	}