limited-elephant-93657
07/21/2025, 12:22 AMmetadata_admin
from Kratos identities (contains legacy customer IDs)
- This data is needed for populating JWT claims in our OAuth flow
- Our UI is hosted externally (Vercel) but Kratos admin API is restricted to internal network only
Questions:
1. Is hitting the Kratos Admin API the recommended way to retrieve metadata_admin
for claim population?
2. What's the best practice for exposing Kratos admin functionality to external UIs? Should we:
- Create a proxy/gateway service that sits in our internal network?
- Leverage Hydra's token exchange or some other OAuth flow?
Our Current Setup:
- Kratos manages identities with custom metadata_admin
fields
- Hydra handles OAuth2/OIDC flows
- External UI needs read access to identity metadata for claims
Any guidance on secure patterns for this would be much appreciated! 🙏bland-eye-99092
07/22/2025, 1:00 PMmetadata_admin
is only available in the Admin APIs anyway, so that is the only way to get that data.
2. This is up to you, but beware that by exposing those APIs you do open up the entirety of those APIs to the external user. You would need to secure access to it and do the appropriate permission checks yourself.magnificent-energy-493
limited-elephant-93657
07/23/2025, 10:28 PMmagnificent-energy-493