Short answer: Yes, you can patch identity metadata with patchIdentity. Use JSON Patch to replace the metadata fields, and avoid touching credentials. Details: - The patchIdentity endpoint supports partial updates and explicitly forbids patching id, stateChangedAt, and credentials. It does not forbid metadata, so metadata_public and metadata_admin are patchable. [[patchIdentity](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [patchIdentity](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json)] - By contrast, updateIdentity (PUT) expects the full identity payload (except credentials) and is typically used when you want to send the full object or import credentials. For partial updates like metadata changes, patchIdentity is the intended operation. [[updateIdentity](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [updateIdentity](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json)] - Ory’s metadata docs also note metadata is only changeable via the admin identities APIs (which include PATCH and PUT). [[Identity metadata](https://www.ory.sh/docs/kratos/manage-identities/managing-users-identities-metadata)] Recommended approach: - Prefer PATCH for metadata changes to avoid sending the full identity. Example JSON Patch to replace metadata_public:

bash curl --request PATCH "https://$<http://ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID|ORY_SLUG.projects.oryapis.com/admin/identities/$IDENTITY_ID>" \   --header "Authorization: Bearer $ORY_API_KEY" \   --header "Content-Type: application/json" \   --data-raw '[     {       "op": "replace",       "path": "/metadata_public",       "value": { "role": "user", "plan": "pro" }     }   ]'

Notes and cautions: - PATCH replaces the whole field you target. If you replace /metadata_public or /metadata_admin, send the complete desired object, not just a fragment. [[Modify identities](https://www.ory.sh/docs/guides/integrate-with-ory-cloud-through-webhooks#modify-identities)] - Do not attempt to modify credentials with PATCH; it’s unsupported and may break flows. Use PATCH only for allowed fields or use PUT updateIdentity if you need to update credentials via the supported mechanism. [[patchIdentity](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [Kratos discussion](https://github.com/ory/kratos/discussions/4395)] If you need to bulk-update metadata across many identities, consider the batchPatchIdentities endpoint, which follows the same patch semantics across multiple identities in one request. [[batchPatchIdentities](https://raw.githubusercontent.com/ory/docs/master/docs/reference/api.json); [batchPatchIdentities](https://raw.githubusercontent.com/ory/kratos/master/spec/api.json)]