Hello Ory Community! We have a Kratos + Hydra setup and need some architecture advice: - We need to access

metadata_admin

from Kratos identities (contains legacy customer IDs) - This data is needed for populating JWT claims in our OAuth flow - Our UI is hosted externally (Vercel) but Kratos admin API is restricted to internal network only Questions: 1. Is hitting the Kratos Admin API the recommended way to retrieve

metadata_admin

for claim population? 2. What's the best practice for exposing Kratos admin functionality to external UIs? Should we: - Create a proxy/gateway service that sits in our internal network? - Leverage Hydra's token exchange or some other OAuth flow? Our Current Setup: - Kratos manages identities with custom

metadata_admin

fields - Hydra handles OAuth2/OIDC flows - External UI needs read access to identity metadata for claims Any guidance on secure patterns for this would be much appreciated! 🙏

1. Yes, that sounds correct.

metadata_admin

is only available in the Admin APIs anyway, so that is the only way to get that data. 2. This is up to you, but beware that by exposing those APIs you do open up the entirety of those APIs to the external user. You would need to secure access to it and do the appropriate permission checks yourself.

@limited-elephant-93657 Have you considered using public metadata for it ? That would make it easier unless the ID is sensitive and should not be visible to the end user.

Hey @bland-eye-99092 and @magnificent-energy-493 thanks so much for responding to my post here. I was under the impression that the user could potentially change their public_metadata but I've just taken another look at the docs and just read that it can only be updated with the admin endpoint. So we will use the metadata_public. Thanks so much for your help, this will make our solution much cleaner

No worries, glad we could help 😊