Access Denied when trying to use api.user.setAppMetadata

Following: Manage User Metadata with the post-login Action Trigger

We have an action that runs at post-login.

Everything works as expected except a call to api.user.setAppMetadata("key", "value"); causes the following error:

    "error": {
      "message": "user update failed: %!w(<nil>)",
      "oauthError": "access_denied",
      "type": "oauth-authorization"
    },

Removing the call to api.user.setAppMetadata("key", "value"); and redeploying the action causes the issue to go away.

Is there a specific permission necessary for this? I could not find anything in the documentation.