diff --git a/src/millipds/auth_bearer.py b/src/millipds/auth_bearer.py
index 966b146..5d4e294 100644
--- a/src/millipds/auth_bearer.py
+++ b/src/millipds/auth_bearer.py
@@ -170,7 +170,8 @@ async def auth_middleware(request: web.Request, handler):
 		if revoked:
 			raise web.HTTPUnauthorized(text="revoked token")
 
-		request_lxm = request.path.rpartition("/")[2].partition("?")[0]
+		# note: request.path does not include the query string
+		request_lxm = request.path.rpartition("/")[2]
 		if request_lxm != payload.get("lxm"):
 			raise web.HTTPUnauthorized(text="invalid jwt: bad lxm")