diff --git a/lib/server.js b/lib/server.js
index 30a85ca..af5cc80 100755
--- a/lib/server.js
+++ b/lib/server.js
@@ -377,7 +377,7 @@ exports.authenticateBewit = async function (req, credentialsFunc, options) {
 
     const bewit = {
         id: bewitParts[0],
-        exp: parseInt(bewitParts[1], 10),
+        exp: bewitParts[1],
         mac: bewitParts[2],
         ext: bewitParts[3] || ''
     };
@@ -396,12 +396,6 @@ exports.authenticateBewit = async function (req, credentialsFunc, options) {
         url = url + resource[2] + resource[4];
     }
 
-    // Check expiration
-
-    if (bewit.exp * 1000 <= now) {
-        throw Object.assign(Utils.unauthorized('Access expired'), { bewit });
-    }
-
     // Fetch Hawk credentials
 
     try {
@@ -443,6 +437,12 @@ exports.authenticateBewit = async function (req, credentialsFunc, options) {
         throw Object.assign(Utils.unauthorized('Bad mac'), result);
     }
 
+    // Check expiration
+
+    if (parseInt(bewit.exp, 10) * 1000 <= now) {
+        throw Object.assign(Utils.unauthorized('Access expired'), { bewit });
+    }
+
     // Successful authentication
 
     return result;
diff --git a/test/uri.js b/test/uri.js
index cdd5b07..da29f8d 100755
--- a/test/uri.js
+++ b/test/uri.js
@@ -270,12 +270,30 @@ describe('Uri', () => {
 
         const req = {
             method: 'GET',
-            url: '/resource/4?a=1&b=2&bewit=MTIzNDU2XDEzNTY0MTg1ODNcWk1wZlMwWU5KNHV0WHpOMmRucTRydEk3NXNXTjFjeWVITTcrL0tNZFdVQT1cc29tZS1hcHAtZGF0YQ',
+            url: '/resource',
+            host: 'example.com',
+            port: 8080
+        };
+        const credentials = credentialsFunc('123456');
+        const bewit = Hawk.uri.getBewit('https://example.com:8080/resource', { credentials, ttlSec: -10 });
+        req.url += '?bewit=' + bewit;
+
+        await expect(Hawk.uri.authenticate(req, credentialsFunc)).to.reject('Access expired');
+    });
+
+    it('validates mac before expiry', async () => {
+
+        const credentials = credentialsFunc('123456');
+        const exp = '1';
+        const expiredInvalidBewit = B64.base64urlEncode(credentials.id + '\\' + exp + '\\somemac\\');
+        const req = {
+            method: 'GET',
+            url: '/resource?bewit=' + expiredInvalidBewit,
             host: 'example.com',
             port: 8080
         };
 
-        await expect(Hawk.uri.authenticate(req, credentialsFunc)).to.reject('Access expired');
+        await expect(Hawk.uri.authenticate(req, credentialsFunc, {})).to.reject('Bad mac');
     });
 
     it('fails on credentials function error', async () => {