diff --git a/api.php b/api.php
index f6954aa..e6b7bd1 100644
--- a/api.php
+++ b/api.php
@@ -2289,8 +2289,10 @@ switch ($action) {
     case 'todo_status':
         requireAuth();
         $companyId = requireCompany();
-        if ($method !== 'POST') break;
-        $input = json_decode(file_get_contents('php://input'), true);
+        if ($method !== 'POST') { echo json_encode(['error' => 'POST required']); break; }
+        $rawInput = file_get_contents('php://input');
+        $input = json_decode($rawInput, true);
+        if (!$input) { echo json_encode(['error' => 'Invalid JSON input', 'raw' => substr($rawInput, 0, 200)]); break; }
         $id = $input['id'] ?? '';
         $status = $input['status'] ?? '';
         $todo = dbLoadTodo($id);
diff --git a/script.js b/script.js
index 90eb028..9ef34bf 100644
--- a/script.js
+++ b/script.js
@@ -32,7 +32,12 @@ async function apiCall(action, method = 'GET', body = null) {
         opts.body = JSON.stringify(body);
     }
     const res = await fetch(`${API}?action=${action}`, opts);
-    const data = await res.json();
+    const text = await res.text();
+    let data;
+    try { data = JSON.parse(text); } catch (e) {
+        console.error('API JSON parse error:', action, text.slice(0, 500));
+        throw new Error('Palvelin palautti virheellisen vastauksen');
+    }
     if (!res.ok) throw new Error(data.error || 'Virhe');
     return data;
 }