Partial Update for Users not Working As Expected

Hey OKTA folks,

I’m not sure if this has been pointed out before but a developer on my team noticed some weird behavior when attempting to do a partial update to the user profile using POST /api/v1/users/<user_id>

For background, we’re trying to port an existing set of APIs to point to OKTA so we can avoid making too many changes to our application while we migrate. Our application has different endpoints for changing the user’s username and changing the user’s email address (along with other profile attributes)

If I have a user with login ‘dave.ortiz’ and email ‘’ I would expect the following API call to update my JUST my email address

curl --request POST
–header ‘Accept: application/json’
–header ‘Authorization: SSWS ************’
–data ’ {“profile”: { “email”: “”}}’

However, what we’re seeing is the following response where both the login and email address change.

Is this the intended behavior to change both fields?

“id”: “00u15hvqf1YdWTigu357”,
“status”: “PROVISIONED”,
“created”: “2019-08-20T11:44:29.000Z”,
“activated”: “2019-08-20T11:44:29.000Z”,
“statusChanged”: “2019-08-20T11:44:29.000Z”,
“lastLogin”: null,
“lastUpdated”: “2019-09-23T18:29:27.000Z”,
“passwordChanged”: null,
“profile”: {
“firstName”: “Dave”,
“lastName”: “Ortiz”,
“mobilePhone”: null,
“secondEmail”: null,
“login”: “”,
“email”: “
“credentials”: {
“emails”: [
“value”: “”,
“status”: “VERIFIED”,
“type”: “PRIMARY”
“provider”: {
“type”: “OKTA”,
“name”: “OKTA”

Hi there,

It depends on your okta tenant setup. Some tenants use the email as a login and I think this is done by default. You can change it using a profile master or the profile editor and changing the login field within Okta.

I was pretty sure we don’t use the email as the login. I believe we removed that restriction because I can create users with a non-email login.

Is there any way that I can verify that my tenant is correctly setup?

Edit: Here’s the configuration on my user.login field in the profile editor

Do you have any profile masters? One of them might be setting the login as an email therefore overriding it?