great content, easy to understand, and super fun. Great job!

WE Can use hs256 in Okta?

It sounds like you are discussing 1 use case. A key signed by 1 needing to be verified by another. For general web applications not using okta(or another identity provider) this is not the case. For a web app the server signs and that same server verifies. You can still just rotate out the key without redeploying anything and your hs256 key is never shared just like a private key.