diff --git a/config/config.go b/config/config.go
index ead1c4cc2..2fe623fc7 100644
--- a/config/config.go
+++ b/config/config.go
@@ -237,22 +237,10 @@ func (cfg *Config) GetAuthenticateKeyFetcher() (hpke.KeyFetcher, error) {
 	if err != nil {
 		return nil, err
 	}
-
-	// For hosted authenticate, we need to fetch the HPKE public key.
-	if urlutil.IsHostedAuthenticateDomain(authenticateURL.Hostname()) {
-		hpkeURL := authenticateURL.ResolveReference(&url.URL{
-			Path: urlutil.HPKEPublicKeyPath,
-		}).String()
-		return hpke.NewKeyFetcher(hpkeURL, transport), nil
-	}
-
-	// Otherwise we can use our own HPKE public key.
-	privKey, err := cfg.Options.GetHPKEPrivateKey()
-	if err != nil {
-		return nil, err
-	}
-	pubKey := privKey.PublicKey()
-	return hpke.NewStubKeyFetcher(pubKey), nil
+	hpkeURL := authenticateURL.ResolveReference(&url.URL{
+		Path: urlutil.HPKEPublicKeyPath,
+	}).String()
+	return hpke.NewKeyFetcher(hpkeURL, transport), nil
 }
 
 func (cfg *Config) resolveAuthenticateURL() (*url.URL, *http.Transport, error) {
diff --git a/pkg/hpke/stub.go b/pkg/hpke/stub.go
deleted file mode 100644
index a628584f1..000000000
--- a/pkg/hpke/stub.go
+++ /dev/null
@@ -1,18 +0,0 @@
-package hpke
-
-import (
-	"context"
-)
-
-type stubFetcher struct {
-	key *PublicKey
-}
-
-func (f stubFetcher) FetchPublicKey(_ context.Context) (*PublicKey, error) {
-	return f.key, nil
-}
-
-// NewStubKeyFetcher returns a new KeyFetcher which returns a fixed key.
-func NewStubKeyFetcher(key *PublicKey) KeyFetcher {
-	return stubFetcher{key}
-}
diff --git a/pkg/hpke/stub_test.go b/pkg/hpke/stub_test.go
deleted file mode 100644
index 1d8dc4f6b..000000000
--- a/pkg/hpke/stub_test.go
+++ /dev/null
@@ -1,26 +0,0 @@
-package hpke_test
-
-import (
-	"context"
-	"testing"
-
-	"github.com/stretchr/testify/assert"
-	"github.com/stretchr/testify/require"
-
-	"github.com/pomerium/pomerium/pkg/hpke"
-)
-
-func TestStubFetcher(t *testing.T) {
-	t.Parallel()
-
-	hpkePrivateKey, err := hpke.GeneratePrivateKey()
-	require.NoError(t, err)
-
-	expected := hpkePrivateKey.PublicKey()
-
-	f := hpke.NewStubKeyFetcher(expected)
-
-	actual, err := f.FetchPublicKey(context.Background())
-	require.NoError(t, err)
-	assert.Equal(t, expected.String(), actual.String())
-}