diff --git a/internal/auth/login.go b/internal/auth/login.go
index 30e171e..b1f7ced 100644
--- a/internal/auth/login.go
+++ b/internal/auth/login.go
@@ -10,7 +10,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"net/url"
@@ -20,6 +19,8 @@ import (
 	"runtime"
 	"strings"
 	"time"
+
+	"github.com/rs/zerolog/log"
 )
 
 const (
@@ -246,7 +247,7 @@ func exchangeAuthCode(ctx context.Context, code, state, verifier string, port in
 		return nil, fmt.Errorf("save credential: %w", err)
 	}
 
-	log.Printf("login successful, credentials saved to %s", credPath)
+	log.Info().Str("path", credPath).Msg("login successful, credentials saved")
 	return cred, nil
 }
 
diff --git a/internal/auth/refresh.go b/internal/auth/refresh.go
index 9ce869d..6ee7656 100644
--- a/internal/auth/refresh.go
+++ b/internal/auth/refresh.go
@@ -6,7 +6,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"io"
-	"log"
 	"net"
 	"net/http"
 	"os"
@@ -15,6 +14,7 @@ import (
 	"time"
 
 	tls "github.com/refraction-networking/utls"
+	"github.com/rs/zerolog/log"
 	"golang.org/x/net/http2"
 )
 
@@ -200,7 +200,7 @@ func StartBackgroundRefresh(ctx context.Context, pool *Pool) {
 		for {
 			select {
 			case <-ctx.Done():
-				log.Printf("background refresh stopped")
+				log.Info().Msg("background refresh stopped")
 				return
 			case <-time.After(refreshInterval):
 				refreshExpiring(pool)
@@ -222,6 +222,7 @@ func refreshExpiring(pool *Pool) {
 		hasRefresh := cred.RefreshToken != ""
 		nextRetry := cred.nextRefreshAfter
 		email := cred.Email
+		expiresAt := cred.ExpiresAt
 		cred.mu.Unlock()
 
 		if !hasRefresh || !needsRefresh {
@@ -231,21 +232,22 @@ func refreshExpiring(pool *Pool) {
 			continue
 		}
 
-		log.Printf("refreshing token for %s (expires %s)", email, cred.ExpiresAt.Format(time.RFC3339))
+		log.Info().Str("credential", email).Time("expires_at", expiresAt).Msg("refreshing token")
 		ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second)
 		err := RefreshToken(ctx, cred)
 		cancel()
 
 		if err != nil {
-			log.Printf("refresh failed for %s: %v", email, err)
+			log.Error().Err(err).Str("credential", email).Msg("token refresh failed")
 			cred.mu.Lock()
 			cred.nextRefreshAfter = time.Now().Add(refreshBackoff)
 			cred.mu.Unlock()
 		} else {
-			log.Printf("refreshed %s, new expiry %s", email, cred.ExpiresAt.Format(time.RFC3339))
 			cred.mu.Lock()
+			newExpiresAt := cred.ExpiresAt
 			cred.nextRefreshAfter = time.Time{}
 			cred.mu.Unlock()
+			log.Info().Str("credential", email).Time("new_expiry", newExpiresAt).Msg("token refreshed")
 		}
 	}
 }