diff --git a/services/identity/src/service.rs b/services/identity/src/service.rs
--- a/services/identity/src/service.rs
+++ b/services/identity/src/service.rs
@@ -49,8 +49,9 @@
   GetUserIdRequest, GetUserIdResponse, LoginRequest, LoginResponse,
   PakeLoginRequest as PakeLoginRequestStruct,
   PakeLoginResponse as PakeLoginResponseStruct, RegistrationRequest,
-  RegistrationResponse, SessionInitializationInfo, VerifyUserTokenRequest,
-  VerifyUserTokenResponse, WalletLoginRequest as WalletLoginRequestStruct,
+  RegistrationResponse, SessionInitializationInfo, UpdateUserRequest,
+  UpdateUserResponse, VerifyUserTokenRequest, VerifyUserTokenResponse,
+  WalletLoginRequest as WalletLoginRequestStruct,
   WalletLoginResponse as WalletLoginResponseStruct,
 };
 
@@ -300,6 +301,18 @@
       Err(e) => Err(handle_db_error(e)),
     }
   }
+
+  #[instrument(skip(self))]
+  async fn update_user(
+    &self,
+    request: Request<tonic::Streaming<UpdateUserRequest>>,
+  ) -> Result<Response<Self::UpdateUserStream>, Status> {
+    unimplemented!();
+  }
+
+  type UpdateUserStream = Pin<
+    Box<dyn Stream<Item = Result<UpdateUserResponse, Status>> + Send + 'static>,
+  >;
 }
 
 async fn put_token_helper(
diff --git a/shared/protos/identity.proto b/shared/protos/identity.proto
--- a/shared/protos/identity.proto
+++ b/shared/protos/identity.proto
@@ -26,6 +26,9 @@
   // channel of communication with a given user
   rpc GetSessionInitializationInfo(GetSessionInitializationInfoRequest) returns
     (GetSessionInitializationInfoResponse) {}
+
+  rpc UpdateUser(stream UpdateUserRequest) returns
+    (stream UpdateUserResponse) {}
 }
 
 // Helper types
@@ -209,3 +212,27 @@
   // Map is keyed on devices' public ed25519 key used for signing
   map<string, SessionInitializationInfo> devices = 1;
 }
+
+// UpdateUser
+
+// Messages sent from a client to Identity Service
+message UpdateUserRequest {
+  oneof data {
+    // Only need user information on initial call, subsequent PAKE commands
+    // can infer parameters from first Request + userID
+    PakeRegistrationRequestAndUserID request = 1;
+    // We combine the last step of PAKE registration with the first step of PAKE
+    // login here to reduce the number of messages sent
+    PakeRegistrationUploadAndCredentialRequest
+      pakeRegistrationUploadAndCredentialRequest = 2;
+    bytes pakeLoginFinalizationMessage = 4;
+  }
+}
+
+// Messages sent from Identity Service to a client
+message UpdateUserResponse {
+  oneof data {
+    bytes pakeRegistrationResponse = 1;
+    PakeLoginResponse pakeLoginResponse = 2;
+  }
+}