Have you taken a look at this guide that walks you through configuring a Service application in Okta that can be used to generate OAuth tokens that can in turn be sent to Okta’s management endpoints (including /users) as authorization?
What was the reason given for why this technique (public/private key pair) wouldn’t be an option in production?