diff --git a/lib/shopify_api/session.rb b/lib/shopify_api/session.rb
index b55c4f91d..9735f8f78 100644
--- a/lib/shopify_api/session.rb
+++ b/lib/shopify_api/session.rb
@@ -73,9 +73,10 @@ def initialize(url, token = nil, extra = {})
       self.extra = extra
     end
 
-    def create_permission_url(scope, redirect_uri = nil)
-      params = {:client_id => api_key, :scope => scope.join(',')}
+    def create_permission_url(scope, redirect_uri = nil, state: nil)
+      params = { client_id: api_key, scope: scope.join(',') }
       params[:redirect_uri] = redirect_uri if redirect_uri
+      params[:state] = state if state
       "#{site}/oauth/authorize?#{parameterize(params)}"
     end
 
diff --git a/test/session_test.rb b/test/session_test.rb
index 2ca399e38..660a74fd4 100644
--- a/test/session_test.rb
+++ b/test/session_test.rb
@@ -74,7 +74,7 @@ def setup
   end
 
   test "create_permission_url returns correct url with single scope no redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = ["write_products"]
     permission_url = session.create_permission_url(scope)
@@ -82,7 +82,7 @@ def setup
   end
 
   test "create_permission_url returns correct url with single scope and redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = ["write_products"]
     permission_url = session.create_permission_url(scope, "http://my_redirect_uri.com")
@@ -90,7 +90,7 @@ def setup
   end
 
   test "create_permission_url returns correct url with dual scope no redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = ["write_products","write_customers"]
     permission_url = session.create_permission_url(scope)
@@ -98,11 +98,25 @@ def setup
   end
 
   test "create_permission_url returns correct url with no scope no redirect uri" do
-    ShopifyAPI::Session.setup(:api_key => "My_test_key", :secret => "My test secret")
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
     session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
     scope = []
     permission_url = session.create_permission_url(scope)
-    assert_equal "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=", permission_url
+    assert_equal(
+      "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=",
+      permission_url
+    )
+  end
+
+  test "create_permission_url returns correct url with state" do
+    ShopifyAPI::Session.setup(api_key: "My_test_key", secret: "My test secret")
+    session = ShopifyAPI::Session.new('http://localhost.myshopify.com')
+    scope = []
+    permission_url = session.create_permission_url(scope, nil, state: "My nonce")
+    assert_equal(
+      "https://localhost.myshopify.com/admin/oauth/authorize?client_id=My_test_key&scope=&state=My%20nonce",
+      permission_url
+    )
   end
 
   test "raise exception if code invalid in request token" do