No, Ory Hydra does not allow an individual OAuth2 client to specify a custom

jwks_uri

for signing JWT access tokens. The

jwks_uri

or

jwks

fields in the client configuration are used for client authentication (specifically for the

private_key_jwt

authentication method), not for determining which key is used to sign access tokens issued by Hydra. Hydra uses its own server-managed key sets to sign JWT access tokens and OpenID Connect ID tokens. These keys are managed and rotated at the server level, and all public keys are exposed at the well-known JWKS endpoint (e.g.,

https://<hydra-domain>/.well-known/jwks.json

). The default key sets used for signing are

hydra.openid.id-token

for ID tokens and

hydra.jwt.access-token

for JWT access tokens. These are not configurable per client; instead, they are global to the Hydra instance. You can retrieve or rotate these keys using the admin API, but not on a per-client basis [JWT access token validation](https://www.ory.sh/docs/oauth2-oidc/jwt-access-token#json-web-token-validation) [Secrets and key rotation](https://www.ory.sh/docs/hydra/self-hosted/secrets-key-rotation). The

jwks_uri

field in the client configuration is only relevant for authenticating the client itself when it uses the

private_key_jwt

method to authenticate to the token endpoint, not for signing tokens that Hydra issues to the client [JWTs for client authentication](https://www.ory.sh/docs/hydra/guides/jwt#jwts-for-client-authentication) [Registering the client's public key](https://www.ory.sh/docs/hydra/guides/jwt#registering-the-clients-public-key). In summary: Hydra does not allow a client to specify a custom

jwks_uri

for signing JWT access tokens. The signing keys are managed globally by Hydra, not per client.