diff --git a/.envrc.local.template b/.envrc.local.template
index 62ef3c2781ba23be44b3e83b23a61cb8f8439133..1610981f15ff40d14b9ee2dac0f7f673eb53ef16 100644
--- a/.envrc.local.template
+++ b/.envrc.local.template
@@ -26,3 +26,7 @@ export HOLI_CHAT_MACAROON_SECRET_KEY=
 
 # ip range used within the docker-compose container, needs to be unblocked in order for Synapse to be able to resolve Sygnal
 export HOLI_CHAT_IP_RANGE_WHITELIST="- '172.16.0.0/12'"
+
+# can be downloaded from ORY https://dev-auth.holi.social/.well-known/jwks.json (for production: https://auth.holi.social/.well-known/jwks.json)
+# this is the ORY staging keyset
+export HOLI_CHAT_ORY_PUBLIC_JWT_KEYS='{"keys":[{"use": "sig", "kty": "RSA", "kid": "147ad542-5980-4a1a-bb23-b163b731a3cc", "alg": "RS256", "n": "xOYw-BTlL7EVScqYqxwUubSWY_6FEMcO88wXIxvnLTN7ldgvxocCfgWoM15oq5nwdCe3v3z_hoBY9nPeqYEYyN2Axz1OhKzvzPSy5_lAJfYMpIiaYpYFYvrR5L7QnOwdUi6QNzXnZS6-gGqQz6mTNpFpEcoo313eznhkMq9w72bDYHobjdsuSUGd_qF3QnWC9pn9f4xprwErJIdPU-jSjKwA7T1NWuB2z0SbAI2ScX2MXBNi3aZUJpYivWHWi90l76_XbgNszAveY2vj05QV7E2nivLsmBdW8Y3OtLTtjnRT8kNOkCPYoSsH8Pv1kGvEjvlJNmvK8AJufjVgiChUQm5xwce77Jp3Zzwb47vUt4Y4ZLY8kBOmLsF7nESZuUz3fA8C3-dTdj1RKrzdzcho8puUGZHEPgYSXc2PVeA6mdayn3gc6dlo_sKy8ysDAQwBI68YZJUNxYBPnpXc0ODU0K972TB-Bg6hbLMc6l24anLLza81wMm_H5h7DAgbRTGdFAGE3Wy75Jv0-ngso5I5aTG5DAkSHxNCbBwtIV-eh0aH_E2KS9xHAYnd1gfoiqB83JxgGLjeJDOA8turZnJkRuFh7tMq2MBFShzwr9EBsIKVfYi57K22U19GXVenvOxdQMxNofxhihM-yqawppZAecarLahHP570RpbBQsTcCWk", "e": "AQAB"}]}'
diff --git a/data/homeserver.yaml.template b/data/homeserver.yaml.template
index db174d6aac34a0a4c3576ef090a6df24c6c97096..a274975e9d7fb7bd63b19ffd4011330e386b2abf 100644
--- a/data/homeserver.yaml.template
+++ b/data/homeserver.yaml.template
@@ -48,20 +48,7 @@ sso:
 
 jwt_config:
   enabled: true
-  secret:
-    {
-      "keys":
-        [
-          {
-            "use": "sig",
-            "kty": "RSA",
-            "kid": "147ad542-5980-4a1a-bb23-b163b731a3cc",
-            "alg": "RS256",
-            "n": "xOYw-BTlL7EVScqYqxwUubSWY_6FEMcO88wXIxvnLTN7ldgvxocCfgWoM15oq5nwdCe3v3z_hoBY9nPeqYEYyN2Axz1OhKzvzPSy5_lAJfYMpIiaYpYFYvrR5L7QnOwdUi6QNzXnZS6-gGqQz6mTNpFpEcoo313eznhkMq9w72bDYHobjdsuSUGd_qF3QnWC9pn9f4xprwErJIdPU-jSjKwA7T1NWuB2z0SbAI2ScX2MXBNi3aZUJpYivWHWi90l76_XbgNszAveY2vj05QV7E2nivLsmBdW8Y3OtLTtjnRT8kNOkCPYoSsH8Pv1kGvEjvlJNmvK8AJufjVgiChUQm5xwce77Jp3Zzwb47vUt4Y4ZLY8kBOmLsF7nESZuUz3fA8C3-dTdj1RKrzdzcho8puUGZHEPgYSXc2PVeA6mdayn3gc6dlo_sKy8ysDAQwBI68YZJUNxYBPnpXc0ODU0K972TB-Bg6hbLMc6l24anLLza81wMm_H5h7DAgbRTGdFAGE3Wy75Jv0-ngso5I5aTG5DAkSHxNCbBwtIV-eh0aH_E2KS9xHAYnd1gfoiqB83JxgGLjeJDOA8turZnJkRuFh7tMq2MBFShzwr9EBsIKVfYi57K22U19GXVenvOxdQMxNofxhihM-yqawppZAecarLahHP570RpbBQsTcCWk",
-            "e": "AQAB",
-          },
-        ],
-    }
+  secret: ${HOLI_CHAT_ORY_PUBLIC_JWT_KEYS}
   algorithm: "RS256"
   subject_claim: "ident"
 
diff --git a/terraform/environments/deployment_server.tf b/terraform/environments/deployment_server.tf
index 7b62dcd4c079ed1661b724f86a58addaba6c95e8..276be5fb1212198cb4b38e23676b48e1be50f238 100644
--- a/terraform/environments/deployment_server.tf
+++ b/terraform/environments/deployment_server.tf
@@ -106,6 +106,15 @@ resource "google_cloud_run_service" "chat_server" {
             }
           }
         }
+        env {
+          name = "HOLI_CHAT_ORY_PUBLIC_JWT_KEYS"
+          value_from {
+            secret_key_ref {
+              key  = "latest"
+              name = local.environment_name == "production" ? "HOLI_CHAT_ORY_PUBLIC_JWT_KEYS_PRODUCTION" : "HOLI_CHAT_ORY_PUBLIC_JWT_KEYS_DEVELOPMENT"
+            }
+          }
+        }
         resources {
           limits = {
             # cpu can only be scaled down to 1000m as long as container_concurrency is set to != 1