I believe the source of the issues you described is some confusion around the fact that there can be more than one type of token being issued. In particular, when you configure an API in the APIs section and then proceed to configure it to use HS256 or RS256 what this API expects to receive is an access token issued in accordance with that configuration.
The client application will have to state during the authentication/authorization request that it wants to receive an access token for the API in question; it does this by means of the
audience parameter or configuring a default audience that’s associated with the identifier you configured for the API.
In addition to that the client application can also receive an ID token and that is to what the JsonWebToken Signature Algorithm setting applies. So technically, depending on the client, you can receive an ID token signed with RS256 alongside an access token meant for an API that uses HS256. Given the ID token is only meant to be processed by the client application this has no influence at the API level.
In conclusion, client application will have different secrets then the ones used by API’s configured to use HS256, but that is irrelevant because what client will send to the API is the access token and that access token is issued according tot he API configuration/secret (assuming the client application specified the appropriate
Further useful read: