The JSON Web Key Set (JWKS) that you create is not automatically hosted anywhere. You need to manually configure the location where the JWKS will be fetched from. In the context of Ory, the first private key found in the JWKS defined by

mutators.id_token.jwks_url

will be used for signing the JWT. If the first key found is a symmetric key, it won't be broadcasted at

/.well-known/jwks.json

. You must manually configure the upstream to be able to fetch the key, for example from an environment variable. If the first key found is an asymmetric private key, the related public key will be broadcasted at

/.well-known/jwks.json

[source](https://www.ory.sh/docs/oathkeeper/pipeline/mutator#id_token-configuration). In the case of Ory Proxy, it's recommended to validate the JWT using Ory Proxy's public key. The public key is available at

/.ory/proxy/jwks.json

[source](https://www.ory.sh/docs/guides/cli/proxy-and-tunnel#use-ory-proxy-with-json-web-tokens). For Ory Hydra, all public keys will be shown at

<http://ory-hydra-public-api/.well-known/jwks.json>

[source](https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation). Remember, the JWKS must be securely stored and managed as it contains the keys used for signing and verifying tokens.