Change signing certificate,

My app uses OpenID Connect.
I created the certificate, then updated the app to use newly created kid using /credentials/keys. What I expect is that /keys?client_id={id} endpoint returns a key with kid equals to what I’ve created and tokens are signed/verified with a private/public key pair OKTA created for me as result of that certificate update. But /keys contains absolutely different kids and token validation fails.

What is wrong here? Maybe I’m misunderstanding the purpose of /credentials/keys? Maybe it would work ok only in certain context?

Documentaton says:
Note: When using a Custom Authorization Server, you may work with a client that can’t call the /keys endpoint to dynamically fetch the JWKS. You can pin that specific client to a specific key by generating a key credential and updating the application to use it for signing. This overrides the Custom AS rollover/pinning behavior for that client. Should you need to turn off automatic key rotation for the entire Custom Authorization Server, you can do that by switching the Signing Key Rotation value to Manual in the Admin Console.

Appreciate any help, thank you!

Are you trying to validate Access Tokens issued by the Org Authorization Server (issuer =

No, issuer is Also /default/v1/keys?client_id={} does not reflect changes I did creating and updating certificate.

In fact the certificate update works well with and{id} returns expected kid and I’m able to verify signed token by using that key. Given that Manual Rotation for application is enabled (it is disabled by default).

But I expect same behaviour for{id} returns different key set. How to make it possible for default auth server to apply the keys provided with certificate while signing tokens?

Are you saying the keys for the default server (issuer = vary from the ones for the Org server (issuer =