diff --git a/packages/endpoint-auth/lib/controllers/authorization.js b/packages/endpoint-auth/lib/controllers/authorization.js
index 31afaa178..6341fc0ca 100644
--- a/packages/endpoint-auth/lib/controllers/authorization.js
+++ b/packages/endpoint-auth/lib/controllers/authorization.js
@@ -38,7 +38,7 @@ export const authorizationController = {
       }
 
       // `response_type` must be `code` (or deprecated `id`)
-      if (!/^(code|id)$/.test(request.query.response_type)) {
+      if (!/^(code|id)$/.test(String(request.query.response_type))) {
         throw IndiekitError.badRequest(
           response.locals.__("BadRequestError.invalidValue", "response_type")
         );
@@ -54,7 +54,7 @@ export const authorizationController = {
 
         // Canonicalise URLs for later comparison
         if (request.query[uri]) {
-          request.query[uri] = getCanonicalUrl(request.query[uri]);
+          request.query[uri] = getCanonicalUrl(String(request.query[uri]));
         }
       }
 
@@ -70,7 +70,7 @@ export const authorizationController = {
       }
 
       // Add client information to locals
-      request.app.locals.client = await getClientInformation(client_id);
+      request.app.locals.client = await getClientInformation(String(client_id));
 
       // Use PKCE if code challenge parameters provided
       request.app.locals.usePkce = code_challenge && code_challenge_method;
diff --git a/packages/endpoint-auth/lib/pushed-authorization-request.js b/packages/endpoint-auth/lib/pushed-authorization-request.js
index 761965865..e20319e0b 100644
--- a/packages/endpoint-auth/lib/pushed-authorization-request.js
+++ b/packages/endpoint-auth/lib/pushed-authorization-request.js
@@ -28,7 +28,7 @@ export const createRequestUri = (request) => {
  */
 export const getRequestUriData = (request) => {
   const { request_uri } = request.query;
-  const reference = request_uri.split(":")[5];
+  const reference = String(request_uri).split(":")[5];
 
   return request.app.locals[reference];
 };