> It seems to me that if my private and public key are compromised (which i use to sign and verify JWTs), that anyone can independently generate JWT tokens for themselves to use on my API?
As also pointed out that you need to keep your Private Key Secure , the best way to keep it secure is to use an HSM for signing your data , in this case you can extend the JWT generator to sign the data through a crypto dll inside the HSM , this insures that the private key is never exposed outside the HSM

> It seems to me that if my private and public key are compromised (which i use to sign and verify JWTs), that anyone can independently generate JWT tokens for themselves to use on my API?
Yes, that's correct.
----
Public keys are intended to be _public_ and can be distributed.
On the other hand, private keys are supposed to be _private_ and must be kept _secure_ in your server. Anyone who has access to the private keys should be capable to issue tokens.
Disclosing your private key is a huge security breach.