diff --git a/app/Http/Controllers/LnurlAuthController.php b/app/Http/Controllers/LnurlAuthController.php
index 6f7e44b..b381bad 100644
--- a/app/Http/Controllers/LnurlAuthController.php
+++ b/app/Http/Controllers/LnurlAuthController.php
@@ -24,11 +24,24 @@ final class LnurlAuthController extends Controller
     {
         try {
             $validated = $request->validate([
-                'k1' => ['required', 'string', 'hex', 'size:128'],
+                'k1' => ['required', 'string', 'size:64'],
                 'sig' => ['required', 'string'],
-                'key' => ['required', 'string', 'hex', 'min:64', 'max:66'],
+                'key' => ['required', 'string', 'min:64', 'max:66'],
             ]);
 
+            // Validate hex format manually
+            if (! ctype_xdigit($validated['k1'])) {
+                throw ValidationException::withMessages([
+                    'k1' => ['The k1 field must be a valid hexadecimal string.'],
+                ]);
+            }
+
+            if (! ctype_xdigit($validated['key'])) {
+                throw ValidationException::withMessages([
+                    'key' => ['The key field must be a valid hexadecimal string.'],
+                ]);
+            }
+
             $isVerified = lnurl\auth($validated['k1'], $validated['sig'], $validated['key']);
 
             if (! $isVerified) {
diff --git a/tests/Feature/LnurlAuthTest.php b/tests/Feature/LnurlAuthTest.php
index 8bc7172..7d1b504 100644
--- a/tests/Feature/LnurlAuthTest.php
+++ b/tests/Feature/LnurlAuthTest.php
@@ -18,10 +18,30 @@ test('lnurl auth callback validates required parameters', function () {
         ]);
 });
 
+test('lnurl auth callback validates hex format for k1 and key', function () {
+    // Invalid k1 (not hex)
+    $response = $this->get(route('auth.ln.callback').'?k1=ZZZZ'.str()->random(60).'&sig='.str()->random(128).'&key='.bin2hex(random_bytes(33)));
+
+    $response->assertStatus(400)
+        ->assertJson([
+            'status' => 'ERROR',
+            'reason' => 'Invalid request parameters',
+        ]);
+
+    // Invalid key (not hex)
+    $response = $this->get(route('auth.ln.callback').'?k1='.bin2hex(random_bytes(32)).'&sig='.str()->random(128).'&key=ZZZZ'.str()->random(60));
+
+    $response->assertStatus(400)
+        ->assertJson([
+            'status' => 'ERROR',
+            'reason' => 'Invalid request parameters',
+        ]);
+});
+
 test('lnurl auth callback handles signature verification failures', function () {
-    $k1 = str()->random(64);
-    $sig = str()->random(128);
-    $key = str()->random(64);
+    $k1 = bin2hex(random_bytes(32));
+    $sig = bin2hex(random_bytes(64));
+    $key = bin2hex(random_bytes(33));
 
     $response = $this->get(route('auth.ln.callback').'?k1='.$k1.'&sig='.$sig.'&key='.$key);