diff --git a/metropolis/proto/api/management.proto b/metropolis/proto/api/management.proto
index 5c8905f..80cb195 100644
--- a/metropolis/proto/api/management.proto
+++ b/metropolis/proto/api/management.proto
@@ -218,6 +218,16 @@
       need: PERMISSION_READ_NODE_LOGS
     };
   }
+  // UpdateNode updates the node operating system to a new version.
+  //
+  // Metropolis uses a side-by-side (A/B) update process. This method installs
+  // the OS from the given bundle into the inactive slot, activates that slot
+  // and then (optionally) reboots to activate it.
+  rpc UpdateNode(UpdateNodeRequest) returns (UpdateNodeResponse) {
+    option (metropolis.proto.ext.authorization) = {
+      need: PERMISSION_UPDATE_NODE
+    };
+  }
 }
 
 message GetLogsRequest {
@@ -259,4 +269,16 @@
   // enabled, instead every line is served as early as it arrives. However, this
   // might change in the future, so this behaviour cannot be depended upon.
   repeated metropolis.proto.common.LogEntry stream_entries = 2;
-}
\ No newline at end of file
+}
+
+message UpdateNodeRequest {
+  // An HTTPS URL to a Metropolis bundle containing the new OS to install.
+  string bundle_url = 1;
+
+  // If set, do not reboot the node after installation. This means the updated
+  // version will not be active until the node has been rebooted via another
+  // method.
+  bool no_reboot = 2;
+}
+
+message UpdateNodeResponse {}
\ No newline at end of file