diff --git a/api/v1alpha1/oauth2client_types.go b/api/v1alpha1/oauth2client_types.go
index 3f03950..9c83269 100644
--- a/api/v1alpha1/oauth2client_types.go
+++ b/api/v1alpha1/oauth2client_types.go
@@ -20,6 +20,7 @@ import (
 	"fmt"
 
 	"github.com/ory/hydra-maester/hydra"
+	apiextensionsv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -120,8 +121,10 @@ type OAuth2ClientSpec struct {
 	// Indication which authentication method shoud be used for the token endpoint
 	TokenEndpointAuthMethod TokenEndpointAuthMethod `json:"tokenEndpointAuthMethod,omitempty"`
 
+	// +kubebuilder:validation:Type=object
+	//
 	// Metadata is abritrary data
-	Metadata json.RawMessage `json:"metadata,omitempty"`
+	Metadata apiextensionsv1.JSON `json:"metadata,omitempty"`
 }
 
 // +kubebuilder:validation:Enum=client_credentials;authorization_code;implicit;refresh_token
@@ -182,6 +185,8 @@ func init() {
 
 // ToOAuth2ClientJSON converts an OAuth2Client into a OAuth2ClientJSON object that represents an OAuth2 client digestible by ORY Hydra
 func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON {
+	meta, _ := json.Marshal(c.Spec.Metadata)
+
 	return &hydra.OAuth2ClientJSON{
 		ClientName:              c.Spec.ClientName,
 		GrantTypes:              grantToStringSlice(c.Spec.GrantTypes),
@@ -193,7 +198,7 @@ func (c *OAuth2Client) ToOAuth2ClientJSON() *hydra.OAuth2ClientJSON {
 		Scope:                   c.Spec.Scope,
 		Owner:                   fmt.Sprintf("%s/%s", c.Name, c.Namespace),
 		TokenEndpointAuthMethod: string(c.Spec.TokenEndpointAuthMethod),
-		Metadata:                c.Spec.Metadata,
+		Metadata:                meta,
 	}
 }
 
diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
index 1050062..fa8143c 100644
--- a/api/v1alpha1/zz_generated.deepcopy.go
+++ b/api/v1alpha1/zz_generated.deepcopy.go
@@ -20,7 +20,6 @@ limitations under the License.
 package v1alpha1
 
 import (
-	"encoding/json"
 	runtime "k8s.io/apimachinery/pkg/runtime"
 )
 
@@ -132,11 +131,7 @@ func (in *OAuth2ClientSpec) DeepCopyInto(out *OAuth2ClientSpec) {
 		copy(*out, *in)
 	}
 	out.HydraAdmin = in.HydraAdmin
-	if in.Metadata != nil {
-		in, out := &in.Metadata, &out.Metadata
-		*out = make(json.RawMessage, len(*in))
-		copy(*out, *in)
-	}
+	in.Metadata.DeepCopyInto(&out.Metadata)
 }
 
 // DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new OAuth2ClientSpec.
diff --git a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
index 665e907..d1d8dfc 100644
--- a/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
+++ b/config/crd/bases/hydra.ory.sh_oauth2clients.yaml
@@ -99,8 +99,8 @@ spec:
                 type: object
               metadata:
                 description: Metadata is abritrary data
-                format: byte
-                type: string
+                type: object
+                x-kubernetes-preserve-unknown-fields: true
               postLogoutRedirectUris:
                 description: PostLogoutRedirectURIs is an array of the post logout
                   redirect URIs allowed for the application
diff --git a/go.mod b/go.mod
index 4616dfa..55f5730 100644
--- a/go.mod
+++ b/go.mod
@@ -11,6 +11,7 @@ require (
 	github.com/stretchr/testify v1.6.1
 	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
 	k8s.io/api v0.20.2
+	k8s.io/apiextensions-apiserver v0.20.1
 	k8s.io/apimachinery v0.20.2
 	k8s.io/client-go v0.20.2
 	k8s.io/utils v0.0.0-20210305010621-2afb4311ab10