diff --git a/matrix-module.nix b/matrix-module.nix
index 2f31357..807761b 100644
--- a/matrix-module.nix
+++ b/matrix-module.nix
@@ -83,6 +83,12 @@ in {
         type = str;
         description = "OpenID issuer URL.";
       };
+
+      jwt-secret = mkOption {
+        type = nullOr str;
+        description = "JWT secret, for decoding requests";
+        default = null;
+      };
     };
   };
 
@@ -120,42 +126,10 @@ in {
           signing_key_path = "${cfg.state-directory}/secrets/signing.key";
           # Only to trigger the inclusion of oidc deps, actual config is elsewhere
           oidc_providers = [ ];
-          jwt_config = {
+          jwt_config = mkIf (cfg.openid.jwt-secret != null) {
             enabled = true;
             algorithm = "HS256";
-            secret = ''
-              -----BEGIN CERTIFICATE-----
-              MIIFUzCCAzugAwIBAgIRAMqfkfHyl07usDfXTfgi/OIwDQYJKoZIhvcNAQELBQAw
-              HTEbMBkGA1UEAwwSYXV0aGVudGlrIDIwMjMuOC4xMB4XDTIzMDgyOTE3MTU1NloX
-              DTI0MDgyOTE3MTU1NlowVjEqMCgGA1UEAwwhYXV0aGVudGlrIFNlbGYtc2lnbmVk
-              IENlcnRpZmljYXRlMRIwEAYDVQQKDAlhdXRoZW50aWsxFDASBgNVBAsMC1NlbGYt
-              c2lnbmVkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA8DCiYkHq5RQL
-              N6i9bLXuschbuPxWZeckJK1cFAmLbrEbOQ/yjURpf0vqdaetvg/S5RsN6I9qS9Yl
-              h/PmeNZTBN5nsn7GGQZQL4xy0cm2c0Z57AuFkDLgrKiovI5Y4cgIMEfmdqKZ27ey
-              QqTLDAs6w6m7uNCA0cUwldKyuGR0xMRWShrYM3vurdsosACsWl+bsWZgOASaW2GO
-              sMPMnTMzATGwy0KLU9ffl3vGSL0FO0zYP4zTXQbi2jsdd4f1pSo1lNWGH1dpUnYV
-              lSQNfx+AWOj4YcES5kJFzmzSl+zYCJaAnWFCilZ/ZDbrzIbh0vBonElE4mHwOivN
-              wQHVme32itAHU/TX4avwDuGzNL3yl3LGn0U76kSz7YEb4ADwKxVZMnHViJW/tTiC
-              AoGfOfg6ge78eDnltrLXTjluctcqUHXPkMUPgVyHMAzV0nGxf9v6yuC5S7RIP4q2
-              B5JDQ+Ef7CAEl4VNsIOpN6jqY09qpAc4flH0qqaDMmtsEbBogE9XtOWosSJmMrHp
-              2MRFfFXEZSa+18TYa0j/Ec9WKnOR5n+/SY9Ke6P2tW9AWBo8k+3m7kR/zlqxwFga
-              EnkhqMl/OnLE1KyP/SenJmlW7vzcAlO2dZomPtY+G9nXEGpec/f9M4cYHYO03694
-              jADHnpplQCv8OdNBcJjPv9jBgd7tNxcCAwEAAaNVMFMwUQYDVR0RAQH/BEcwRYJD
-              eHp2V0V2VmMwdWE5ZlV5Y1R3T2tOTGwweVZFaVBzNmlXclNCd2ltNi5zZWxmLXNp
-              Z25lZC5nb2F1dGhlbnRpay5pbzANBgkqhkiG9w0BAQsFAAOCAgEAPP7axxpQfuML
-              BPpXTqFMSJaLg/Sc0N64qLmiHIx29bQ/OCBG5UOgL2ctbY7MftfZQnEv2DrVlQjr
-              pvGrMbQp2EQN0rycQ/5m1JVBfpqtEm3Tsg9MhfXj13Pv9xJZGSlIyNIkACjE73he
-              QBxv0XvSFa7HiRYBrBhvnpriCbvTFSwmjPu+VRqCr3yk2ydaC+nf7gYHuWB50OLF
-              CPCgF77NtFxybW6oPRy0KatmJOFqYi7wU1/S7r3XKdxvSzIAdCuF4yTP0qlyloGW
-              AlUNI3uesQVv5jsku5ExDiAfRLNjbINuDnk1RtaW5gCTtPqYlff+XlHfEOHYqvoT
-              MMI+rXSSnj/g8VKv8KJjqBk4DZOQcBdxMBuhJYBOYuJg+4ICRbAlk3Yqxlb8VrLT
-              Ovf6ea6Wk8iisPckYRwLmiyYnO4Kn5QiZQY5kGdIAUJ+jbAaFwsO7v1J6m0rBEr6
-              bCHcl4xuYrlOLghZem3KLGkdYj0qXc8Dr+WNJ7fvbICKkpTIqLC0Trq4u6X/ZbTL
-              aCTvpLWOhHms5IvQUkndF1wV3HSM9aJylzPk6zkZRhR7jWtNojLD0Pf6t/H2V0VD
-              x/n6DjSsmSyVGwo0zeAXhIZl/XzZZpp//Lbn91aMqnVY0zoCjdSEhEpBGx/djdLI
-              jCunluN2DypxO3PVEWqIUvNhlv0XW9o=
-              -----END CERTIFICATE-----
-            '';
+            secret = cfg.openid.jwt-secret;
           };
           listeners = [{
             port = cfg.port;
@@ -173,7 +147,8 @@ in {
             args.database = "${cfg.state-directory}/database/data.db";
           };
         };
-        extras = [ "jwt" "url-preview" ];
+        extras = [ "url-preview" ]
+          ++ (optional (cfg.openid.jwt-secret != null) "jwt");
         extraConfigFiles = [ hostSecrets.matrixOpenIdConfig.target-file ];
         configureRedisLocally = true;
       };