diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
index cf90d7473..3c7daab6f 100644
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
@@ -12,23 +12,20 @@ public class ShopifyRequestValidator {
     private String clientSecret;
 
     public Boolean valid(ShopifyCommonParameter parameter) {
-        StringBuilder message =new StringBuilder();
+        StringBuilder message = new StringBuilder();
         message.append("code=").append(parameter.getCode())
                 .append("&host=").append(parameter.getHost())
                 .append("&shop=").append(parameter.getShop())
                 .append("&state=").append(parameter.getState())
                 .append("&timestamp=").append(parameter.getTimestamp());
-        return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,parameter.getHmac());
+        return HmacVerificationUtil.hmacSHA256(message.toString(), clientSecret, parameter.getHmac());
     }
 
-    public boolean verifyPermission(String shopifyStoreHost, String hmac, String timestamp) {
-        StringBuilder message =new StringBuilder();
-        message.append("shop=").append(shopifyStoreHost)
-                .append("&timestamp=").append(timestamp);
-        return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,hmac);
+    public boolean verifyPermission(String queryStrWithoutHmac, String hmac) {
+        return HmacVerificationUtil.hmacSHA256(queryStrWithoutHmac, clientSecret, hmac);
     }
 
     public boolean verify(String message, String hmac) {
-        return HmacVerificationUtil.hmacSHA256(message,clientSecret,hmac);
+        return HmacVerificationUtil.hmacSHA256(message, clientSecret, hmac);
     }
 }
diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
index c57b68a81..dcd5c9d70 100644
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
@@ -10,9 +10,12 @@ import au.com.royalpay.payment.tools.env.PlatformEnvironment;
 import au.com.royalpay.payment.tools.exceptions.BadRequestException;
 import org.springframework.beans.factory.annotation.Autowired;
 import org.springframework.data.redis.core.StringRedisTemplate;
+import org.springframework.http.server.ServletServerHttpRequest;
 import org.springframework.stereotype.Controller;
 import org.springframework.web.bind.annotation.*;
+import org.springframework.web.util.UriComponentsBuilder;
 
+import javax.servlet.http.HttpServletRequest;
 import java.util.regex.Pattern;
 
 @Controller
@@ -33,18 +36,18 @@ public class ShopifyAuthTemplateController {
      *
      * @param shop
      * @param hmac
-     * @param timestamp
      * @return
      */
     @GetMapping("/auth")
     @ShopifyEndpoint
     public String shopifyStorePermission(@RequestParam("shop") String shop,
-                                         @RequestParam("hmac") String hmac,
-                                         @RequestParam("timestamp") String timestamp) {
+                                         @RequestParam("hmac") String hmac, HttpServletRequest request) {
         if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
             throw new BadRequestException("Parameter shop is invalid.");
         }
-        if (!shopifyRequestValidator.verifyPermission(shop, hmac, timestamp)) {
+        String queryStr = UriComponentsBuilder.fromHttpRequest(new ServletServerHttpRequest(request))
+                .replaceQueryParam("hmac").build().getQuery();
+        if (!shopifyRequestValidator.verifyPermission(queryStr, hmac)) {
             throw new ShopifyRequestVerifyException("This request parameters is invalid");
         }
         ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop);
diff --git a/src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java b/src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java
new file mode 100644
index 000000000..acc19713a
--- /dev/null
+++ b/src/test/java/au/com/royalpay/payment/manage/shopify/support/HmacVerificationUtilTest.java
@@ -0,0 +1,25 @@
+package au.com.royalpay.payment.manage.shopify.support;
+
+import org.junit.jupiter.api.Test;
+import org.springframework.web.util.UriComponentsBuilder;
+
+import static org.junit.jupiter.api.Assertions.*;
+
+class HmacVerificationUtilTest {
+
+    @Test
+    void checkParameters() {
+        String message = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&shop=geek-test-shop.myshopify.com&timestamp=1648025715";
+        String key = "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";
+        String hmac = "803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc";
+        assert HmacVerificationUtil.hmacSHA256(message, key, hmac);
+    }
+
+    @Test
+    void testQuery() {
+        String base = "host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&timestamp=1648025715&shop=geek-test-shop.myshopify.com";
+        String query = UriComponentsBuilder.fromUriString("/shopify/auth?hmac=803cd4924b19cedc5361ab09776d078a18be3ba32fd7d62de72269a12bec1ffc&host=Z2Vlay10ZXN0LXNob3AubXlzaG9waWZ5LmNvbS9hZG1pbg&timestamp=1648025715&shop=geek-test-shop.myshopify.com")
+                .replaceQueryParam("hmac").build().getQuery();
+        assertEquals(base, query);
+    }
+}
\ No newline at end of file