How to get the x509 public key to verify the OIDC idToken

When I submit a GET to:
/api/v1/idps/credentials/keys/any JWS header kid returned by our okta auth server in an OIDC idToken
I get a "Not found: Resource not found: xxxxx (IdpTrust)"
I suppose this is because we haven’t put any signing certificates into our own auth server resource. But the oidc tokens are signed…

What is the API to get the public key that was used to sign the tokens?

nevermind…I’ve found it explained here: https://developer.okta.com/docs/api/resources/oidc.html#openid-connect-discovery-document
GET keys