diff --git a/packages/worker/src/api/routes/global/tests/self.spec.ts b/packages/worker/src/api/routes/global/tests/self.spec.ts
index 74d24c7c31..f3959c7521 100644
--- a/packages/worker/src/api/routes/global/tests/self.spec.ts
+++ b/packages/worker/src/api/routes/global/tests/self.spec.ts
@@ -18,30 +18,26 @@ describe("/api/global/self", () => {
   })
 
   describe("update", () => {
-    it("should update self", async () => {
+    it("should reject updates with forbidden keys", async () => {
       const user = await config.createUser()
       await config.createSession(user)
-
       delete user.password
-      const res = await config.api.self.updateSelf(user)
 
-      const dbUser = await config.getUser(user.email)
-      user._rev = dbUser._rev
-      user.dayPassRecordedAt = mocks.date.MOCK_DATE.toISOString()
-      expect(res.body._id).toBe(user._id)
-      expect(events.user.updated).toBeCalledTimes(1)
-      expect(events.user.updated).toBeCalledWith(dbUser)
-      expect(events.user.passwordUpdated).not.toBeCalled()
+      await config.api.self.updateSelf(user, user).expect(400)
     })
 
     it("should update password", async () => {
       const user = await config.createUser()
       await config.createSession(user)
 
-      user.password = "newPassword"
-      const res = await config.api.self.updateSelf(user)
+      const res = await config.api.self
+        .updateSelf(user, {
+          password: "newPassword",
+        })
+        .expect(200)
 
       const dbUser = await config.getUser(user.email)
+
       user._rev = dbUser._rev
       user.dayPassRecordedAt = mocks.date.MOCK_DATE.toISOString()
       expect(res.body._id).toBe(user._id)
@@ -51,4 +47,22 @@ describe("/api/global/self", () => {
       expect(events.user.passwordUpdated).toBeCalledWith(dbUser)
     })
   })
+
+  it("should update onboarding", async () => {
+    const user = await config.createUser()
+    await config.createSession(user)
+
+    const res = await config.api.self
+      .updateSelf(user, {
+        onboardedAt: "2023-03-07T14:10:54.869Z",
+      })
+      .expect(200)
+
+    const dbUser = await config.getUser(user.email)
+
+    user._rev = dbUser._rev
+    user.dayPassRecordedAt = mocks.date.MOCK_DATE.toISOString()
+    expect(dbUser.onboardedAt).toBe("2023-03-07T14:10:54.869Z")
+    expect(res.body._id).toBe(user._id)
+  })
 })
diff --git a/packages/worker/src/api/routes/global/users.ts b/packages/worker/src/api/routes/global/users.ts
index a6312679c3..47e76c17be 100644
--- a/packages/worker/src/api/routes/global/users.ts
+++ b/packages/worker/src/api/routes/global/users.ts
@@ -128,7 +128,7 @@ router
   .get("/api/global/users/self", selfController.getSelf)
   .post(
     "/api/global/users/self",
-    users.buildUserSaveValidation(true),
+    users.buildUserSaveValidation(),
     selfController.updateSelf
   )
 
diff --git a/packages/worker/src/tests/api/self.ts b/packages/worker/src/tests/api/self.ts
index dcc6c1a98b..1c1492f37f 100644
--- a/packages/worker/src/tests/api/self.ts
+++ b/packages/worker/src/tests/api/self.ts
@@ -7,13 +7,12 @@ export class SelfAPI extends TestAPI {
     super(config)
   }
 
-  updateSelf = (user: User) => {
+  updateSelf = (user: User, update: any) => {
     return this.request
       .post(`/api/global/self`)
-      .send(user)
+      .send(update)
       .set(this.config.authHeaders(user))
       .expect("Content-Type", /json/)
-      .expect(200)
   }
 
   getSelf = (user: User) => {