diff --git a/uma/test/uma_test.go b/uma/test/uma_test.go
index ff9b39f..f42e4e8 100644
--- a/uma/test/uma_test.go
+++ b/uma/test/uma_test.go
@@ -44,6 +44,13 @@ func TestParse(t *testing.T) {
 	assert.ObjectsAreEqual(expectedQuery, *query)
 }
 
+func TestInvalidUserName(t *testing.T) {
+	urlString := "https://vasp2.com/.well-known/lnurlp/bob<>%20?signature=signature&nonce=12345&vaspDomain=vasp1.com&umaVersion=1.0&isSubjectToTravelRule=true&timestamp=12345678"
+	urlObj, _ := url.Parse(urlString)
+	_, err := uma.ParseLnurlpRequest(*urlObj)
+	require.Error(t, err)
+}
+
 func TestIsUmaQueryValid(t *testing.T) {
 	urlString := "https://vasp2.com/.well-known/lnurlp/bob?signature=signature&nonce=12345&vaspDomain=vasp1.com&umaVersion=1.0&isSubjectToTravelRule=true&timestamp=12345678"
 	urlObj, _ := url.Parse(urlString)
diff --git a/uma/uma.go b/uma/uma.go
index c9156a9..97d89f2 100644
--- a/uma/uma.go
+++ b/uma/uma.go
@@ -11,6 +11,7 @@ import (
 	"math/big"
 	"net/http"
 	"net/url"
+	"regexp"
 	"strconv"
 	"strings"
 	"time"
@@ -313,7 +314,12 @@ func ParseLnurlpRequestWithReceiverDomain(url url.URL, receiverDomain string) (*
 	if len(pathParts) != 4 || pathParts[1] != ".well-known" || pathParts[2] != "lnurlp" {
 		return nil, errors.New("invalid uma request path")
 	}
-	receiverAddress := pathParts[3] + "@" + receiverDomain
+	username := pathParts[3]
+	var validUsernameRegex = regexp.MustCompile(`^[$a-zA-Z0-9._\-+]+$`)
+	if !validUsernameRegex.MatchString(username) {
+		return nil, errors.New("invalid uma username")
+	}
+	receiverAddress := username + "@" + receiverDomain
 
 	nilIfEmpty := func(s string) *string {
 		if s == "" {