diff --git a/litecord/admin_schemas.py b/litecord/admin_schemas.py
index fc96dc9..2796ba1 100644
--- a/litecord/admin_schemas.py
+++ b/litecord/admin_schemas.py
@@ -17,7 +17,7 @@ along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 """
 
-from litecord.enums import Feature
+from litecord.enums import Feature, UserFlags
 
 VOICE_SERVER = {
     'hostname': {'type': 'string', 'maxlength': 255, 'required': True}
@@ -54,3 +54,7 @@ INSTANCE_INVITE = {
 GUILD_UPDATE = {
     'unavailable': {'type': 'boolean', 'required': False}
 }
+
+USER_UPDATE = {
+    'flags': {'required': False, 'coerce': UserFlags}
+}
diff --git a/litecord/blueprints/admin_api/users.py b/litecord/blueprints/admin_api/users.py
index 6f309d6..8a84be8 100644
--- a/litecord/blueprints/admin_api/users.py
+++ b/litecord/blueprints/admin_api/users.py
@@ -22,10 +22,12 @@ from quart import Blueprint, jsonify, current_app as app, request
 from litecord.auth import admin_check
 from litecord.blueprints.auth import create_user
 from litecord.schemas import validate
-from litecord.admin_schemas import USER_CREATE
+from litecord.admin_schemas import USER_CREATE, USER_UPDATE
 from litecord.errors import BadRequest
 from litecord.utils import async_map
-from litecord.blueprints.users import delete_user, user_disconnect
+from litecord.blueprints.users import (
+    delete_user, user_disconnect, mass_user_update
+)
 
 bp = Blueprint('users_admin', __name__)
 
@@ -116,3 +118,21 @@ async def _delete_single_user(user_id: int):
         'old': old_user,
         'new': new_user
     })
+
+@bp.route('/<int:user_id>', methods=['PATCH'])
+async def patch_user(user_id: int):
+    await admin_check()
+
+    j = validate(await request.get_json(), USER_UPDATE)
+
+    # TODO: finish, at least flags.
+    # TODO: we MUST have a check so that users don't
+    # privilege escalate other users to the staff badge, since
+    # that just grants access to the admin api.
+
+    if 'flags' in j:
+        pass
+
+    # TODO: decide if we return the public or private user.
+    _public_user, private_user = await mass_user_update(user_id, app)
+    return jsonify(private_user)
diff --git a/litecord/blueprints/users.py b/litecord/blueprints/users.py
index a3d7672..bea5b89 100644
--- a/litecord/blueprints/users.py
+++ b/litecord/blueprints/users.py
@@ -83,7 +83,7 @@ async def mass_user_update(user_id, app_=None):
         'lazy_guild', guild_ids, 'update_user', user_id
     )
 
-    return private_user
+    return public_user, private_user
 
 
 @bp.route('/@me', methods=['GET'])
@@ -257,7 +257,7 @@ async def patch_me():
 
     user.pop('password_hash')
 
-    private_user = await mass_user_update(user_id, app)
+    _, private_user = await mass_user_update(user_id, app)
     return jsonify(private_user)