diff --git a/internal/gen/bearerjwt/bearerjwt.go b/internal/gen/bearerjwt/bearerjwt.go
index e81f79e6a..a813dbf85 100644
--- a/internal/gen/bearerjwt/bearerjwt.go
+++ b/internal/gen/bearerjwt/bearerjwt.go
@@ -35,11 +35,14 @@ func Run(ctx context.Context, claims jwt.Claims, w io.Writer, fsys afero.Fs) err
 func getSigningKey(ctx context.Context) (*config.JWK, error) {
 	console := utils.NewConsole()
 	if len(utils.Config.Auth.SigningKeysPath) == 0 {
-		title := "Enter your signing key in JWK format: "
+		title := "Enter your signing key in JWK format (or leave blank to use local default): "
 		kid, err := console.PromptText(ctx, title)
 		if err != nil {
 			return nil, err
 		}
+		if len(kid) == 0 && len(utils.Config.Auth.SigningKeys) > 0 {
+			return &utils.Config.Auth.SigningKeys[0], nil
+		}
 		key := config.JWK{}
 		if err := json.Unmarshal([]byte(kid), &key); err != nil {
 			return nil, errors.Errorf("failed to parse JWK: %w", err)
diff --git a/pkg/config/apikeys.go b/pkg/config/apikeys.go
index a5f6ee1de..12ecb2076 100644
--- a/pkg/config/apikeys.go
+++ b/pkg/config/apikeys.go
@@ -4,7 +4,6 @@ import (
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
-	"crypto/rand"
 	"crypto/rsa"
 	"encoding/base64"
 	"math/big"
@@ -12,8 +11,6 @@ import (
 
 	"github.com/go-errors/errors"
 	"github.com/golang-jwt/jwt/v5"
-	"github.com/google/uuid"
-	"github.com/supabase/cli/pkg/cast"
 )
 
 const (
@@ -49,25 +46,6 @@ func (a *auth) generateAPIKeys() error {
 	} else if len(a.JwtSecret.Value) < 16 {
 		return errors.Errorf("Invalid config for auth.jwt_secret. Must be at least 16 characters")
 	}
-	// Generate default signing key (P-256 curve for ES256)
-	if len(a.SigningKeysPath) == 0 {
-		privateKey, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
-		if err != nil {
-			return errors.Errorf("failed to generate ECDSA key: %w", err)
-		}
-		a.SigningKeys = append(a.SigningKeys, JWK{
-			KeyType:         "EC",
-			KeyID:           uuid.New().String(),
-			Use:             "sig",
-			KeyOps:          []string{"sign", "verify"},
-			Algorithm:       "ES256",
-			Extractable:     cast.Ptr(true),
-			Curve:           "P-256",
-			X:               base64.RawURLEncoding.EncodeToString(privateKey.PublicKey.X.Bytes()),
-			Y:               base64.RawURLEncoding.EncodeToString(privateKey.PublicKey.Y.Bytes()),
-			PrivateExponent: base64.RawURLEncoding.EncodeToString(privateKey.D.Bytes()),
-		})
-	}
 	// Generate anon key if not provided
 	if len(a.AnonKey.Value) == 0 {
 		signed, err := a.generateJWT("anon")
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 3c88e0340..8cf2e4a27 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -386,6 +386,18 @@ func NewConfig(editors ...ConfigEditor) config {
 				TestOTP: map[string]string{},
 			},
 			External: map[string]provider{},
+			SigningKeys: []JWK{{
+				KeyType:         "EC",
+				KeyID:           "b81269f1-21d8-4f2e-b719-c2240a840d90",
+				Use:             "sig",
+				KeyOps:          []string{"sign", "verify"},
+				Algorithm:       "ES256",
+				Extractable:     cast.Ptr(true),
+				Curve:           "P-256",
+				X:               "M5Sjqn5zwC9Kl1zVfUUGvv9boQjCGd45G8sdopBExB4",
+				Y:               "P6IXMvA2WYXSHSOMTBH2jsw_9rrzGy89FjPf6oOsIxQ",
+				PrivateExponent: "dIhR8wywJlqlua4y_yMq2SLhlFXDZJBCvFrY1DCHyVU",
+			}},
 		},
 		Inbucket: inbucket{
 			Image:      Images.Inbucket,