diff --git a/src/globals/SEOSettings.ts b/src/globals/SEOSettings.ts
index 42d3d6e..5cccb6e 100644
--- a/src/globals/SEOSettings.ts
+++ b/src/globals/SEOSettings.ts
@@ -18,9 +18,17 @@ export const SEOSettings: GlobalConfig = {
   },
   access: {
     // Alle angemeldeten Benutzer können lesen
-    read: ({ req: { user } }) => Boolean(user),
+    read: ({ req: { user } }) => {
+      const result = Boolean(user)
+      if (!result) console.log('[DEBUG:SEO] read ACCESS DENIED - no user')
+      return result
+    },
     // Nur Super Admins können bearbeiten
-    update: ({ req: { user } }) => Boolean(user?.isSuperAdmin),
+    update: ({ req: { user } }) => {
+      const result = Boolean(user?.isSuperAdmin)
+      console.log('[DEBUG:SEO] update access:', { email: user?.email, isSuperAdmin: user?.isSuperAdmin, result })
+      return result
+    },
   },
   fields: [
     // === META DEFAULTS ===
diff --git a/src/payload.config.ts b/src/payload.config.ts
index cf2d1af..186fd95 100644
--- a/src/payload.config.ts
+++ b/src/payload.config.ts
@@ -131,6 +131,43 @@ const filename = fileURLToPath(import.meta.url)
 const dirname = path.dirname(filename)
 
 export default buildConfig({
+  // DEBUG: Log all API requests that result in 403
+  onInit: async (payload) => {
+    const originalFindGlobal = payload.findGlobal.bind(payload)
+    payload.findGlobal = async (args: Parameters<typeof payload.findGlobal>[0]) => {
+      try {
+        return await originalFindGlobal(args)
+      } catch (err: unknown) {
+        if (err && typeof err === 'object' && 'status' in err && (err as { status: number }).status === 403) {
+          console.log('[DEBUG:403] Global read FORBIDDEN:', { slug: args.slug, user: args.req?.user?.email || 'no user' })
+        }
+        throw err
+      }
+    }
+    const originalUpdate = payload.update.bind(payload)
+    payload.update = async (args: Parameters<typeof payload.update>[0]) => {
+      try {
+        return await originalUpdate(args)
+      } catch (err: unknown) {
+        if (err && typeof err === 'object' && 'status' in err && (err as { status: number }).status === 403) {
+          console.log('[DEBUG:403] Collection update FORBIDDEN:', { collection: args.collection, id: args.id, user: args.req?.user?.email || 'no user' })
+        }
+        throw err
+      }
+    }
+    const originalUpdateGlobal = payload.updateGlobal.bind(payload)
+    payload.updateGlobal = async (args: Parameters<typeof payload.updateGlobal>[0]) => {
+      try {
+        return await originalUpdateGlobal(args)
+      } catch (err: unknown) {
+        if (err && typeof err === 'object' && 'status' in err && (err as { status: number }).status === 403) {
+          console.log('[DEBUG:403] Global update FORBIDDEN:', { slug: args.slug, user: args.req?.user?.email || 'no user' })
+        }
+        throw err
+      }
+    }
+    console.log('[DEBUG] 403 interceptors installed')
+  },
   serverURL: process.env.PAYLOAD_PUBLIC_SERVER_URL || 'https://pl.porwoll.tech',
   admin: {
     user: Users.slug,