Your JSON payload structure is correct for updating the

metadata_public

field via a webhook in Ory Kratos. According to the documentation, when the webhook target returns a

200 OK

response and the response body is a JSON object with the key

identity.metadata_public

, the values from that object will be used to replace the

metadata_public

field before it is saved to the database. However, there are a few important caveats: - The entire

metadata_public

object is replaced. Partial updates are not supported, so you must always send the complete object, not just the new or changed fields. - Webhook response parsing must be enabled. Your webhook configuration in Kratos must have

response.parse: true

set, otherwise the response will not be used to update the identity. - This only works during registration and settings flows. If your webhook is triggered during login (not registration or settings), the identity will not be updated, even if the webhook returns a valid response. This is a documented limitation: "Modifying the identity is only possible during registration and settings flows" [Webhook response handling](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities). Summary: If your webhook is triggered during a login flow, the update to

metadata_public

will not be applied. You must trigger the webhook during a registration or settings flow for the update to take effect. If you need to update metadata on login, you will need to use a different approach, as this is not currently supported by Ory Kratos. For reference and more details, see the official documentation: [Webhook response handling](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities).

Yes, if you want to update

metadata_public

during login, you will need to do it manually using the admin API, because modifying the identity via webhook response is only supported during registration and settings flows—not during login flows. This is explicitly stated in the documentation: "Modifying the identity is only possible during registration and settings flows" [Webhook response handling](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities). Session Data: If you update the identity after login (e.g., via the admin API), the session that was just created will not automatically include the updated metadata. The session is generated based on the identity data at the time of login. To ensure the session contains the latest data, you would need to trigger a new login or session refresh after updating the identity. Distinguishing Login vs. Registration in the Webhook: The knowledge sources do not provide explicit details on how to distinguish between login and registration flows from within the webhook payload. However, typically, the webhook payload includes context about the flow, but you would need to inspect the payload for any indicators (such as flow type or method) to determine the trigger. If this information is not present, you may need to rely on endpoint configuration or additional context passed by Ory, but the documentation does not specify this clearly. Summary: - You must update

metadata_public

manually during login. - The session will not reflect changes made after login unless the user logs in again. - The webhook payload may contain context to distinguish the flow, but the documentation does not specify exactly how; you may need to inspect the payload for clues. For more details, see: [Webhook response handling](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities).