diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
index cf90d7473..6a37029d0 100644
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/domain/service/ShopifyRequestValidator.java
@@ -21,9 +21,11 @@ public class ShopifyRequestValidator {
         return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,parameter.getHmac());
     }
 
-    public boolean verifyPermission(String shopifyStoreHost, String hmac, String timestamp) {
+    public boolean verifyPermission(String shop, String hmac, String timestamp, String host) {
         StringBuilder message =new StringBuilder();
-        message.append("shop=").append(shopifyStoreHost)
+        message
+                .append("host=").append(host)
+                .append("&shop=").append(shop)
                 .append("&timestamp=").append(timestamp);
         return HmacVerificationUtil.hmacSHA256(message.toString(),clientSecret,hmac);
     }
diff --git a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
index c57b68a81..29c1f22d0 100644
--- a/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
+++ b/src/main/java/au/com/royalpay/payment/manage/shopify/auth/web/ShopifyAuthTemplateController.java
@@ -38,13 +38,14 @@ public class ShopifyAuthTemplateController {
      */
     @GetMapping("/auth")
     @ShopifyEndpoint
-    public String shopifyStorePermission(@RequestParam("shop") String shop,
-                                         @RequestParam("hmac") String hmac,
+    public String shopifyStorePermission(@RequestParam("hmac") String hmac,
+                                         @RequestParam("host") String host,
+                                         @RequestParam("shop") String shop,
                                          @RequestParam("timestamp") String timestamp) {
         if (!Pattern.matches("^[a-zA-Z0-9][a-zA-Z0-9\\-]*\\.myshopify\\.com", shop)) {
             throw new BadRequestException("Parameter shop is invalid.");
         }
-        if (!shopifyRequestValidator.verifyPermission(shop, hmac, timestamp)) {
+        if (!shopifyRequestValidator.verifyPermission(shop, hmac, timestamp,host)) {
             throw new ShopifyRequestVerifyException("This request parameters is invalid");
         }
         ShopifyPermissionURL shopifyPermissionURL = shopifyMerchantAuthApplication.getShopifyPermissionUrl(shop);