Oh yes @gmagnusson good point - we don’t have this documented anywhere yet.
The way I do it is I put the two key files (public.key and private.key) into a keys directory outside the container, and then bind-mount it into /opt/drupal/keys inside the container as a volume.
The simple_oauth module’s README.md suggests creating the keys using the following commands:
openssl genrsa -out private.key 2048
openssl rsa -in private.key -pubout > public.key