To prevent users from editing a trait such as their email in Ory Network with the Ory-managed UI, the knowledge sources do not provide a direct, built-in configuration option to make specific traits read-only or non-editable in the settings/profile flow. The settings flow allows users to update their traits (like email) as long as those fields are present in the identity schema and the profile method is enabled in your configuration. There is no documented way to mark a trait as immutable or read-only via the schema or Ory Console settings at this time. A related discussion suggests that the use case of preventing users from changing their profile information (such as email) has been considered, and a possible solution could be to introduce a "reject" action or hook that runs before the settings flow, but this is not currently available as a built-in feature in Ory Network or the managed UI. The only current method to disable all profile updates is to disable the entire settings flow, but this would prevent all profile changes, not just changes to the email trait [Add GUI option to disable settings flow](https://github.com/ory/network/issues/188). If you need fine-grained control (e.g., only prevent editing email but allow other traits to be updated), you would need to implement custom logic outside of the Ory-managed UI, such as using webhooks to reject changes to certain traits, but this is not natively supported in the Ory-managed UI as per the current documentation. Summary: - There is no built-in way in Ory Network + Ory-managed UI to make a specific trait (like email) read-only for users. - Disabling the entire settings flow is possible, but this blocks all profile edits, not just email. - Custom solutions (e.g., webhooks) may be possible but are not supported directly in the managed UI. If you need this feature, consider submitting feedback to the Ory team or following related feature requests for updates.

@chilly-king-10285 if I disable editing settings, will a user still be able to change their password?

If you disable the entire settings flow, users will not be able to access any settings-related actions, including changing their password. The settings flow in Ory Network covers all self-service updates to user traits (like email) and credentials (like password). Disabling it prevents all such updates, not just profile trait changes [Add GUI option to disable settings flow](https://github.com/ory/network/issues/188) [Settings and profile updates](https://www.ory.sh/docs/kratos/self-service/flows/user-settings). If you want users to be able to change their password but not edit other traits, the knowledge sources do not describe a way to achieve this granularity using the Ory-managed UI or configuration. The available options are to enable or disable the entire settings flow, not individual methods within it.

Based on the knowledge sources, you cannot achieve your requirements by placing the email only in

metadata_public

. Here’s why: - Email in metadata_public: The

metadata_public

field is not validated by the identity schema and is not used by Ory for verification, recovery, or as a login identifier. Ory’s verification and recovery flows, as well as login, require the email to be present as a trait in the

traits

object of the identity schema, not in metadata. Metadata fields are for system/admin use and are not integrated into the self-service flows for verification or recovery [Identity metadata & traits](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata). - Verifiable and recoverable: For an email to be verifiable and recoverable, it must be defined as a trait and annotated in the schema with the appropriate extensions, such as

"verification": { "via": "email" }

and

"recovery": { "via": "email" }

 [Account recovery address](https://www.ory.sh/docs/kratos/self-service/flows/account-recovery-password-reset#account-recovery-address) [Address verification](https://www.ory.sh/docs/kratos/self-service/flows/verify-email-account-activation). - Immutable (user cannot edit): There is no built-in way in Ory Network or the Ory-managed UI to make a specific trait (like email) immutable for the user while still allowing it to be used for verification and recovery. The only way to prevent editing is to disable the entire settings flow, which also blocks password changes and other updates [Add GUI option to disable settings flow](https://github.com/ory/network/issues/188). Summary: - You must define the email as a trait in the identity schema for verification and recovery. - Placing email only in

metadata_public

will not work for your requirements. - Making the email trait immutable (non-editable by the user) is not currently supported as a granular option in Ory Network or the managed UI. If you need this feature, you may want to follow or contribute to related feature requests in the Ory community.