diff --git a/identity_credential/src/domain_linkage/domain_linkage_configuration.rs b/identity_credential/src/domain_linkage/domain_linkage_configuration.rs
index 2e4eaf3493..15637df441 100644
--- a/identity_credential/src/domain_linkage/domain_linkage_configuration.rs
+++ b/identity_credential/src/domain_linkage/domain_linkage_configuration.rs
@@ -128,6 +128,9 @@ mod __fetch_configuration {
       if domain.scheme() != "https" {
         return Err(DomainLinkageError("domain` does not use `https` protocol".into()));
       }
+      if domain.path() != "/" || domain.query().is_some() || domain.fragment().is_some() {
+        return Err(DomainLinkageError("domain mut not include any path, query of fragment".into()));
+      }
       domain.set_path(".well-known/did-configuration.json");
 
       let client: Client = reqwest::ClientBuilder::new()
diff --git a/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs b/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs
index 96e3323718..2ae7db01af 100644
--- a/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs
+++ b/identity_credential/src/domain_linkage/domain_linkage_credential_builder.rs
@@ -74,6 +74,11 @@ impl DomainLinkageCredentialBuilder {
         "origin must be a domain with http(s) scheme".into(),
       ));
     }
+    if origin.path() != "/" || origin.query().is_some() || origin.fragment().is_some() {
+      return Err(Error::DomainLinkageError(
+        "origin must not contain any path, query or fragment".into()
+      ))
+    }
 
     let mut properties: Object = Object::new();
     properties.insert("origin".into(), origin.into_string().into());
@@ -139,6 +144,18 @@ mod tests {
       .unwrap_err();
     assert!(matches!(err, Error::DomainLinkageError(_)));
   }
+  #[test]
+  fn test_builder_origin_is_a_url() {
+    let issuer: CoreDID = "did:example:issuer".parse().unwrap();
+    let err: Error = DomainLinkageCredentialBuilder::new()
+      .issuance_date(Timestamp::now_utc())
+      .expiration_date(Timestamp::now_utc())
+      .issuer(issuer)
+      .origin(Url::parse("https://example.com/foo?bar=420#baz").unwrap())
+      .build()
+      .unwrap_err();
+    assert!(matches!(err, Error::DomainLinkageError(_)));
+  }
 
   #[test]
   fn test_builder_no_issuer() {
diff --git a/identity_credential/src/domain_linkage/domain_linkage_validator.rs b/identity_credential/src/domain_linkage/domain_linkage_validator.rs
index aa2fd8e656..bacde4ef75 100644
--- a/identity_credential/src/domain_linkage/domain_linkage_validator.rs
+++ b/identity_credential/src/domain_linkage/domain_linkage_validator.rs
@@ -190,6 +190,12 @@ impl<V: JwsVerifier> JwtDomainLinkageValidator<V> {
           source: Some(Box::new(other_error)),
         }),
       }?;
+      if origin_url.path() != "/" || origin_url.query().is_some() || origin_url.fragment().is_some() {
+        return Err(DomainLinkageValidationError {
+          cause: DomainLinkageValidationErrorCause::InvalidSubjectOrigin,
+          source: None,
+        });
+      }
       if origin_url.origin() != domain.origin() {
         return Err(DomainLinkageValidationError {
           cause: DomainLinkageValidationErrorCause::OriginMismatch,