diff --git a/src/app.ts b/src/app.ts
index 5d522e4..f9eaac2 100644
--- a/src/app.ts
+++ b/src/app.ts
@@ -1,4 +1,5 @@
 import '@/cron.ts';
+import { type User } from '@/db/users.ts';
 import {
   type Context,
   cors,
@@ -69,6 +70,8 @@ interface AppEnv extends HonoEnv {
     seckey?: string;
     /** NIP-98 signed event proving the pubkey is owned by the user. */
     proof?: Event<27235>;
+    /** User associated with the pubkey, if any. */
+    user?: User;
   };
 }
 
@@ -107,7 +110,11 @@ app.get('/oauth/authorize', oauthController);
 
 app.post('/api/v1/accounts', requireProof(), createAccountController);
 app.get('/api/v1/accounts/verify_credentials', requirePubkey, verifyCredentialsController);
-app.patch('/api/v1/accounts/update_credentials', requirePubkey, updateCredentialsController);
+app.patch(
+  '/api/v1/accounts/update_credentials',
+  requireRole('user', { validatePayload: false }),
+  updateCredentialsController,
+);
 app.get('/api/v1/accounts/search', accountSearchController);
 app.get('/api/v1/accounts/lookup', accountLookupController);
 app.get('/api/v1/accounts/relationships', relationshipsController);
diff --git a/src/controllers/api/accounts.ts b/src/controllers/api/accounts.ts
index 695c707..f14efaf 100644
--- a/src/controllers/api/accounts.ts
+++ b/src/controllers/api/accounts.ts
@@ -164,6 +164,7 @@ const updateCredentialsSchema = z.object({
 
 const updateCredentialsController: AppController = async (c) => {
   const pubkey = c.get('pubkey')!;
+  const user = c.get('user')!;
   const body = await parseBody(c.req.raw);
   const result = updateCredentialsSchema.safeParse(body);
 
@@ -190,6 +191,7 @@ const updateCredentialsController: AppController = async (c) => {
   meta.about = note ?? meta.about;
   meta.picture = avatar?.url ?? meta.picture;
   meta.banner = header?.url ?? meta.banner;
+  meta.nip05 = `${user.username}@${Conf.url.host}` ?? meta.nip05;
 
   const event = await createEvent({
     kind: 0,
diff --git a/src/middleware/auth98.ts b/src/middleware/auth98.ts
index 20787fe..8eb73b5 100644
--- a/src/middleware/auth98.ts
+++ b/src/middleware/auth98.ts
@@ -32,8 +32,9 @@ type UserRole = 'user' | 'admin';
 
 /** Require the user to prove their role before invoking the controller. */
 function requireRole(role: UserRole, opts?: ParseAuthRequestOpts): AppMiddleware {
-  return withProof(async (_c, proof, next) => {
+  return withProof(async (c, proof, next) => {
     const user = await findUser({ pubkey: proof.pubkey });
+    c.set('user', user);
 
     if (user && matchesRole(user, role)) {
       await next();